]> cvs.zerfleddert.de Git - proxmark3-svn/blame - armsrc/lfops.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Make the bootrom correctly nack in case of flash write error (e.g. due to lock bits)
[proxmark3-svn] / armsrc / lfops.c
CommitLineData
9bea179a 1//-----------------------------------------------------------------------------\r
2// Miscellaneous routines for low frequency tag operations.\r
3// Tags supported here so far are Texas Instruments (TI), HID\r
4// Also routines for raw mode reading/simulating of LF waveform\r
5//\r
6//-----------------------------------------------------------------------------\r
7#include <proxmark3.h>\r
8#include "apps.h"\r
0fa9ca5b 9#include "hitag2.h"\r
9bea179a 10#include "../common/crc16.c"\r
11\r
6f5cb60c 12int sprintf(char *dest, const char *fmt, ...);\r
13\r
9bea179a 14void AcquireRawAdcSamples125k(BOOL at134khz)\r
15{\r
0d974852 16 if (at134khz)\r
9bea179a 17 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz\r
0d974852 18 else\r
9bea179a 19 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz\r
0d974852 20\r
21 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);\r
9bea179a 22\r
23 // Connect the A/D to the peak-detected low-frequency path.\r
24 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);\r
25\r
26 // Give it a bit of time for the resonant antenna to settle.\r
27 SpinDelay(50);\r
28\r
29 // Now set up the SSC to get the ADC samples that are now streaming at us.\r
30 FpgaSetupSsc();\r
31\r
32 // Now call the acquisition routine\r
0d974852 33 DoAcquisition125k();\r
9bea179a 34}\r
35\r
36// split into two routines so we can avoid timing issues after sending commands //\r
0d974852 37void DoAcquisition125k(void)\r
9bea179a 38{\r
39 BYTE *dest = (BYTE *)BigBuf;\r
40 int n = sizeof(BigBuf);\r
41 int i;\r
6f5cb60c 42 char output_string[64];\r
43 \r
0d974852 44 memset(dest, 0, n);\r
9bea179a 45 i = 0;\r
46 for(;;) {\r
6f5cb60c 47 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {\r
6949aca9 48 AT91C_BASE_SSC->SSC_THR = 0x43;\r
9bea179a 49 LED_D_ON();\r
50 }\r
0d974852 51 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {\r
6949aca9 52 dest[i] = (BYTE)AT91C_BASE_SSC->SSC_RHR;\r
9bea179a 53 i++;\r
54 LED_D_OFF();\r
6f5cb60c 55 if (i >= n) break;\r
9bea179a 56 }\r
57 }\r
0d974852 58 sprintf(output_string, "read samples, dest[0]=%x dest[1]=%x",\r
59 dest[0], dest[1]);\r
6f5cb60c 60 DbpString(output_string);\r
9bea179a 61}\r
62\r
0d974852 63void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, BYTE *command)\r
9bea179a 64{\r
65 BOOL at134khz;\r
66\r
0fa9ca5b 67 /* Make sure the tag is reset */\r
68 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
69 SpinDelay(2500);\r
70 \r
9bea179a 71 // see if 'h' was specified\r
0d974852 72 if (command[strlen((char *) command) - 1] == 'h')\r
73 at134khz = TRUE;\r
9bea179a 74 else\r
0d974852 75 at134khz = FALSE;\r
9bea179a 76\r
0d974852 77 if (at134khz)\r
9bea179a 78 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz\r
0d974852 79 else\r
9bea179a 80 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz\r
0d974852 81\r
82 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);\r
9bea179a 83\r
84 // Give it a bit of time for the resonant antenna to settle.\r
85 SpinDelay(50);\r
0fa9ca5b 86 // And a little more time for the tag to fully power up\r
87 SpinDelay(2000);\r
9bea179a 88\r
89 // Now set up the SSC to get the ADC samples that are now streaming at us.\r
90 FpgaSetupSsc();\r
91\r
92 // now modulate the reader field\r
0d974852 93 while(*command != '\0' && *command != ' ') {\r
9bea179a 94 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
95 LED_D_OFF();\r
96 SpinDelayUs(delay_off);\r
0d974852 97 if (at134khz)\r
9bea179a 98 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz\r
0d974852 99 else\r
9bea179a 100 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz\r
0d974852 101\r
102 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);\r
9bea179a 103 LED_D_ON();\r
0d974852 104 if(*(command++) == '0')\r
9bea179a 105 SpinDelayUs(period_0);\r
0d974852 106 else\r
9bea179a 107 SpinDelayUs(period_1);\r
0d974852 108 }\r
9bea179a 109 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
110 LED_D_OFF();\r
111 SpinDelayUs(delay_off);\r
0d974852 112 if (at134khz)\r
9bea179a 113 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz\r
0d974852 114 else\r
9bea179a 115 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz\r
0d974852 116\r
117 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);\r
9bea179a 118\r
119 // now do the read\r
0d974852 120 DoAcquisition125k();\r
9bea179a 121}\r
122\r
7381e8f2 123/* blank r/w tag data stream\r
124...0000000000000000 01111111\r
1251010101010101010101010101010101010101010101010101010101010101010\r
1260011010010100001\r
12701111111\r
128101010101010101[0]000...\r
129\r
130[5555fe852c5555555555555555fe0000]\r
131*/\r
0d974852 132void ReadTItag(void)\r
7381e8f2 133{\r
134 // some hardcoded initial params\r
135 // when we read a TI tag we sample the zerocross line at 2Mhz\r
136 // TI tags modulate a 1 as 16 cycles of 123.2Khz\r
137 // TI tags modulate a 0 as 16 cycles of 134.2Khz\r
138 #define FSAMPLE 2000000\r
139 #define FREQLO 123200\r
140 #define FREQHI 134200\r
141\r
142 signed char *dest = (signed char *)BigBuf;\r
143 int n = sizeof(BigBuf);\r
144// int *dest = GraphBuffer;\r
145// int n = GraphTraceLen;\r
146\r
147 // 128 bit shift register [shift3:shift2:shift1:shift0]\r
148 DWORD shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;\r
149\r
150 int i, cycles=0, samples=0;\r
151 // how many sample points fit in 16 cycles of each frequency\r
152 DWORD sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;\r
153 // when to tell if we're close enough to one freq or another\r
154 DWORD threshold = (sampleslo - sampleshi + 1)>>1;\r
155\r
156 // TI tags charge at 134.2Khz\r
157 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz\r
158\r
159 // Place FPGA in passthrough mode, in this mode the CROSS_LO line\r
160 // connects to SSP_DIN and the SSP_DOUT logic level controls\r
161 // whether we're modulating the antenna (high)\r
162 // or listening to the antenna (low)\r
163 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);\r
164\r
165 // get TI tag data into the buffer\r
166 AcquireTiType();\r
167\r
168 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
169\r
170 for (i=0; i<n-1; i++) {\r
171 // count cycles by looking for lo to hi zero crossings\r
172 if ( (dest[i]<0) && (dest[i+1]>0) ) {\r
173 cycles++;\r
174 // after 16 cycles, measure the frequency\r
175 if (cycles>15) {\r
176 cycles=0;\r
177 samples=i-samples; // number of samples in these 16 cycles\r
178\r
179 // TI bits are coming to us lsb first so shift them\r
180 // right through our 128 bit right shift register\r
181 shift0 = (shift0>>1) | (shift1 << 31);\r
182 shift1 = (shift1>>1) | (shift2 << 31);\r
183 shift2 = (shift2>>1) | (shift3 << 31);\r
184 shift3 >>= 1;\r
185\r
186 // check if the cycles fall close to the number\r
187 // expected for either the low or high frequency\r
188 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {\r
189 // low frequency represents a 1\r
190 shift3 |= (1<<31);\r
191 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {\r
192 // high frequency represents a 0\r
193 } else {\r
194 // probably detected a gay waveform or noise\r
195 // use this as gaydar or discard shift register and start again\r
196 shift3 = shift2 = shift1 = shift0 = 0;\r
197 }\r
198 samples = i;\r
199\r
200 // for each bit we receive, test if we've detected a valid tag\r
201\r
202 // if we see 17 zeroes followed by 6 ones, we might have a tag\r
203 // remember the bits are backwards\r
204 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {\r
205 // if start and end bytes match, we have a tag so break out of the loop\r
206 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {\r
207 cycles = 0xF0B; //use this as a flag (ugly but whatever)\r
208 break;\r
209 }\r
210 }\r
211 }\r
212 }\r
213 }\r
214\r
215 // if flag is set we have a tag\r
216 if (cycles!=0xF0B) {\r
217 DbpString("Info: No valid tag detected.");\r
218 } else {\r
219 // put 64 bit data into shift1 and shift0\r
220 shift0 = (shift0>>24) | (shift1 << 8);\r
221 shift1 = (shift1>>24) | (shift2 << 8);\r
222\r
223 // align 16 bit crc into lower half of shift2\r
224 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;\r
225\r
226 // if r/w tag, check ident match\r
227 if ( shift3&(1<<15) ) {\r
228 DbpString("Info: TI tag is rewriteable");\r
229 // only 15 bits compare, last bit of ident is not valid\r
230 if ( ((shift3>>16)^shift0)&0x7fff ) {\r
231 DbpString("Error: Ident mismatch!");\r
232 } else {\r
233 DbpString("Info: TI tag ident is valid");\r
234 }\r
235 } else {\r
236 DbpString("Info: TI tag is readonly");\r
237 }\r
238\r
239 // WARNING the order of the bytes in which we calc crc below needs checking\r
240 // i'm 99% sure the crc algorithm is correct, but it may need to eat the\r
241 // bytes in reverse or something\r
242 // calculate CRC\r
243 DWORD crc=0;\r
244\r
245 crc = update_crc16(crc, (shift0)&0xff);\r
246 crc = update_crc16(crc, (shift0>>8)&0xff);\r
247 crc = update_crc16(crc, (shift0>>16)&0xff);\r
248 crc = update_crc16(crc, (shift0>>24)&0xff);\r
249 crc = update_crc16(crc, (shift1)&0xff);\r
250 crc = update_crc16(crc, (shift1>>8)&0xff);\r
251 crc = update_crc16(crc, (shift1>>16)&0xff);\r
252 crc = update_crc16(crc, (shift1>>24)&0xff);\r
253\r
6f5cb60c 254 char output_string[64];\r
255 sprintf(output_string, "Info: Tag data_hi=%x, data_lo=%x, crc=%x",\r
256 (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);\r
257 DbpString(output_string);\r
7381e8f2 258 if (crc != (shift2&0xffff)) {\r
6f5cb60c 259 sprintf(output_string, "Error: CRC mismatch, expected %x", (unsigned int)crc);\r
260 DbpString(output_string);\r
7381e8f2 261 } else {\r
262 DbpString("Info: CRC is good");\r
263 }\r
264 }\r
265}\r
266\r
267void WriteTIbyte(BYTE b)\r
268{\r
269 int i = 0;\r
270\r
271 // modulate 8 bits out to the antenna\r
272 for (i=0; i<8; i++)\r
273 {\r
274 if (b&(1<<i)) {\r
275 // stop modulating antenna\r
6949aca9 276 LOW(GPIO_SSC_DOUT);\r
7381e8f2 277 SpinDelayUs(1000);\r
278 // modulate antenna\r
6949aca9 279 HIGH(GPIO_SSC_DOUT);\r
7381e8f2 280 SpinDelayUs(1000);\r
281 } else {\r
282 // stop modulating antenna\r
6949aca9 283 LOW(GPIO_SSC_DOUT);\r
7381e8f2 284 SpinDelayUs(300);\r
285 // modulate antenna\r
6949aca9 286 HIGH(GPIO_SSC_DOUT);\r
7381e8f2 287 SpinDelayUs(1700);\r
288 }\r
289 }\r
290}\r
291\r
9bea179a 292void AcquireTiType(void)\r
293{\r
7381e8f2 294 int i, j, n;\r
9bea179a 295 // tag transmission is <20ms, sampling at 2M gives us 40K samples max\r
296 // each sample is 1 bit stuffed into a DWORD so we need 1250 DWORDS\r
7381e8f2 297 #define TIBUFLEN 1250\r
9bea179a 298\r
299 // clear buffer\r
300 memset(BigBuf,0,sizeof(BigBuf));\r
301\r
302 // Set up the synchronous serial port\r
6949aca9 303 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;\r
304 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;\r
9bea179a 305\r
306 // steal this pin from the SSP and use it to control the modulation\r
6949aca9 307 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;\r
0d974852 308 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;\r
9bea179a 309\r
6949aca9 310 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;\r
311 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;\r
9bea179a 312\r
6949aca9 313 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long\r
314 // 48/2 = 24 MHz clock must be divided by 12\r
315 AT91C_BASE_SSC->SSC_CMR = 12;\r
9bea179a 316\r
6949aca9 317 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);\r
318 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;\r
319 AT91C_BASE_SSC->SSC_TCMR = 0;\r
320 AT91C_BASE_SSC->SSC_TFMR = 0;\r
9bea179a 321\r
322 LED_D_ON();\r
323\r
324 // modulate antenna\r
6949aca9 325 HIGH(GPIO_SSC_DOUT);\r
9bea179a 326\r
327 // Charge TI tag for 50ms.\r
328 SpinDelay(50);\r
329\r
330 // stop modulating antenna and listen\r
6949aca9 331 LOW(GPIO_SSC_DOUT);\r
9bea179a 332\r
333 LED_D_OFF();\r
334\r
335 i = 0;\r
336 for(;;) {\r
6949aca9 337 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {\r
338 BigBuf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer\r
339 i++; if(i >= TIBUFLEN) break;\r
340 }\r
341 WDT_HIT();\r
9bea179a 342 }\r
343\r
344 // return stolen pin to SSP\r
6949aca9 345 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;\r
346 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;\r
9bea179a 347\r
7381e8f2 348 char *dest = (char *)BigBuf;\r
349 n = TIBUFLEN*32;\r
350 // unpack buffer\r
351 for (i=TIBUFLEN-1; i>=0; i--) {\r
352// DbpIntegers(0, 0, BigBuf[i]);\r
353 for (j=0; j<32; j++) {\r
354 if(BigBuf[i] & (1 << j)) {\r
355 dest[--n] = 1;\r
356 } else {\r
357 dest[--n] = -1;\r
358 }\r
9bea179a 359 }\r
360 }\r
361}\r
362\r
9bea179a 363// arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc\r
364// if crc provided, it will be written with the data verbatim (even if bogus)\r
365// if not provided a valid crc will be computed from the data and written.\r
366void WriteTItag(DWORD idhi, DWORD idlo, WORD crc)\r
367{\r
368\r
369 // WARNING the order of the bytes in which we calc crc below needs checking\r
370 // i'm 99% sure the crc algorithm is correct, but it may need to eat the\r
371 // bytes in reverse or something\r
372\r
373 if(crc == 0) {\r
374 crc = update_crc16(crc, (idlo)&0xff);\r
375 crc = update_crc16(crc, (idlo>>8)&0xff);\r
376 crc = update_crc16(crc, (idlo>>16)&0xff);\r
377 crc = update_crc16(crc, (idlo>>24)&0xff);\r
378 crc = update_crc16(crc, (idhi)&0xff);\r
379 crc = update_crc16(crc, (idhi>>8)&0xff);\r
380 crc = update_crc16(crc, (idhi>>16)&0xff);\r
381 crc = update_crc16(crc, (idhi>>24)&0xff);\r
382 }\r
6f5cb60c 383 char output_string[64];\r
384 sprintf(output_string, "Writing the following data to tag: %x, %x, %x",\r
385 (unsigned int) idhi, (unsigned int) idlo, crc);\r
386 DbpString(output_string);\r
9bea179a 387\r
388 // TI tags charge at 134.2Khz\r
389 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz\r
390 // Place FPGA in passthrough mode, in this mode the CROSS_LO line\r
391 // connects to SSP_DIN and the SSP_DOUT logic level controls\r
392 // whether we're modulating the antenna (high)\r
393 // or listening to the antenna (low)\r
394 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);\r
395 LED_A_ON();\r
396\r
397 // steal this pin from the SSP and use it to control the modulation\r
6949aca9 398 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;\r
6f5cb60c 399 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;\r
9bea179a 400\r
401 // writing algorithm:\r
402 // a high bit consists of a field off for 1ms and field on for 1ms\r
403 // a low bit consists of a field off for 0.3ms and field on for 1.7ms\r
404 // initiate a charge time of 50ms (field on) then immediately start writing bits\r
405 // start by writing 0xBB (keyword) and 0xEB (password)\r
406 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)\r
407 // finally end with 0x0300 (write frame)\r
408 // all data is sent lsb firts\r
409 // finish with 15ms programming time\r
410\r
411 // modulate antenna\r
6949aca9 412 HIGH(GPIO_SSC_DOUT);\r
9bea179a 413 SpinDelay(50); // charge time\r
414\r
415 WriteTIbyte(0xbb); // keyword\r
416 WriteTIbyte(0xeb); // password\r
417 WriteTIbyte( (idlo )&0xff );\r
418 WriteTIbyte( (idlo>>8 )&0xff );\r
419 WriteTIbyte( (idlo>>16)&0xff );\r
420 WriteTIbyte( (idlo>>24)&0xff );\r
421 WriteTIbyte( (idhi )&0xff );\r
422 WriteTIbyte( (idhi>>8 )&0xff );\r
423 WriteTIbyte( (idhi>>16)&0xff );\r
424 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo\r
425 WriteTIbyte( (crc )&0xff ); // crc lo\r
426 WriteTIbyte( (crc>>8 )&0xff ); // crc hi\r
427 WriteTIbyte(0x00); // write frame lo\r
428 WriteTIbyte(0x03); // write frame hi\r
6949aca9 429 HIGH(GPIO_SSC_DOUT);\r
9bea179a 430 SpinDelay(50); // programming time\r
431\r
432 LED_A_OFF();\r
433\r
434 // get TI tag data into the buffer\r
435 AcquireTiType();\r
436\r
437 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
7381e8f2 438 DbpString("Now use tiread to check");\r
9bea179a 439}\r
440\r
441void SimulateTagLowFrequency(int period, int ledcontrol)\r
442{\r
443 int i;\r
444 BYTE *tab = (BYTE *)BigBuf;\r
445\r
446 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_SIMULATOR);\r
447\r
6949aca9 448 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;\r
9bea179a 449\r
6949aca9 450 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;\r
451 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;\r
9bea179a 452\r
453#define SHORT_COIL() LOW(GPIO_SSC_DOUT)\r
6949aca9 454#define OPEN_COIL() HIGH(GPIO_SSC_DOUT)\r
9bea179a 455\r
456 i = 0;\r
457 for(;;) {\r
6949aca9 458 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {\r
9bea179a 459 if(BUTTON_PRESS()) {\r
460 DbpString("Stopped");\r
461 return;\r
462 }\r
463 WDT_HIT();\r
464 }\r
465\r
466 if (ledcontrol)\r
467 LED_D_ON();\r
468\r
469 if(tab[i])\r
470 OPEN_COIL();\r
471 else\r
472 SHORT_COIL();\r
473\r
474 if (ledcontrol)\r
475 LED_D_OFF();\r
476\r
6949aca9 477 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {\r
9bea179a 478 if(BUTTON_PRESS()) {\r
479 DbpString("Stopped");\r
480 return;\r
481 }\r
482 WDT_HIT();\r
483 }\r
484\r
485 i++;\r
486 if(i == period) i = 0;\r
487 }\r
488}\r
489\r
0fa9ca5b 490/* Provides a framework for bidirectional LF tag communication\r
491 * Encoding is currently Hitag2, but the general idea can probably\r
492 * be transferred to other encodings.\r
493 * \r
494 * The new FPGA code will, for the LF simulator mode, give on SSC_FRAME\r
495 * (PA15) a thresholded version of the signal from the ADC. Setting the\r
496 * ADC path to the low frequency peak detection signal, will enable a\r
497 * somewhat reasonable receiver for modulation on the carrier signal\r
498 * that is generated by the reader. The signal is low when the reader\r
499 * field is switched off, and high when the reader field is active. Due\r
500 * to the way that the signal looks like, mostly only the rising edge is\r
501 * useful, your mileage may vary.\r
502 * \r
503 * Neat perk: PA15 can not only be used as a bit-banging GPIO, but is also\r
504 * TIOA1, which can be used as the capture input for timer 1. This should\r
505 * make it possible to measure the exact edge-to-edge time, without processor\r
506 * intervention.\r
507 * \r
508 * Arguments: divisor is the divisor to be sent to the FPGA (e.g. 95 for 125kHz)\r
509 * t0 is the carrier frequency cycle duration in terms of MCK (384 for 125kHz)\r
510 * \r
511 * The following defines are in carrier periods: \r
512 */\r
513#define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */ \r
514#define HITAG_T_1_MIN 24 /* T[1] should be 26..30 */\r
515#define HITAG_T_EOF 40 /* T_EOF should be > 36 */\r
516#define HITAG_T_WRESP 208 /* T_wresp should be 204..212 */\r
517\r
518static void hitag_handle_frame(int t0, int frame_len, char *frame);\r
519//#define DEBUG_RA_VALUES 1\r
520#define DEBUG_FRAME_CONTENTS 1\r
521void SimulateTagLowFrequencyBidir(int divisor, int t0)\r
522{\r
523#if DEBUG_RA_VALUES || DEBUG_FRAME_CONTENTS\r
524 int i = 0;\r
525#endif\r
526 char frame[10];\r
527 int frame_pos=0;\r
528 \r
529 DbpString("Starting Hitag2 emulator, press button to end");\r
530 hitag2_init();\r
531 \r
532 /* Set up simulator mode, frequency divisor which will drive the FPGA\r
6949aca9 533 * and analog mux selection.\r
0fa9ca5b 534 */\r
535 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_SIMULATOR);\r
536 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor);\r
537 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);\r
538 RELAY_OFF();\r
539 \r
540 /* Set up Timer 1:\r
541 * Capture mode, timer source MCK/2 (TIMER_CLOCK1), TIOA is external trigger,\r
542 * external trigger rising edge, load RA on rising edge of TIOA, load RB on rising\r
6949aca9 543 * edge of TIOA. Assign PA15 to TIOA1 (peripheral B)\r
0fa9ca5b 544 */\r
545 \r
6949aca9 546 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);\r
547 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;\r
548 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;\r
549 AT91C_BASE_TC1->TC_CMR = TC_CMR_TCCLKS_TIMER_CLOCK1 |\r
550 AT91C_TC_ETRGEDG_RISING |\r
551 AT91C_TC_ABETRG |\r
552 AT91C_TC_LDRA_RISING |\r
553 AT91C_TC_LDRB_RISING;\r
554 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN |\r
555 AT91C_TC_SWTRG;\r
0fa9ca5b 556 \r
557 /* calculate the new value for the carrier period in terms of TC1 values */\r
558 t0 = t0/2;\r
559 \r
560 int overflow = 0;\r
561 while(!BUTTON_PRESS()) {\r
562 WDT_HIT();\r
6949aca9 563 if(AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {\r
564 int ra = AT91C_BASE_TC1->TC_RA;\r
0fa9ca5b 565 if((ra > t0*HITAG_T_EOF) | overflow) ra = t0*HITAG_T_EOF+1;\r
566#if DEBUG_RA_VALUES\r
567 if(ra > 255 || overflow) ra = 255;\r
568 ((char*)BigBuf)[i] = ra;\r
569 i = (i+1) % 8000;\r
570#endif\r
571 \r
572 if(overflow || (ra > t0*HITAG_T_EOF) || (ra < t0*HITAG_T_0_MIN)) {\r
573 /* Ignore */\r
574 } else if(ra >= t0*HITAG_T_1_MIN ) {\r
575 /* '1' bit */\r
576 if(frame_pos < 8*sizeof(frame)) {\r
577 frame[frame_pos / 8] |= 1<<( 7-(frame_pos%8) );\r
578 frame_pos++;\r
579 }\r
580 } else if(ra >= t0*HITAG_T_0_MIN) {\r
581 /* '0' bit */\r
582 if(frame_pos < 8*sizeof(frame)) {\r
583 frame[frame_pos / 8] |= 0<<( 7-(frame_pos%8) );\r
584 frame_pos++;\r
585 }\r
586 }\r
587 \r
588 overflow = 0;\r
589 LED_D_ON();\r
590 } else {\r
6949aca9 591 if(AT91C_BASE_TC1->TC_CV > t0*HITAG_T_EOF) {\r
0fa9ca5b 592 /* Minor nuisance: In Capture mode, the timer can not be\r
593 * stopped by a Compare C. There's no way to stop the clock\r
594 * in software, so we'll just have to note the fact that an\r
595 * overflow happened and the next loaded timer value might\r
596 * have wrapped. Also, this marks the end of frame, and the\r
597 * still running counter can be used to determine the correct\r
6949aca9 598 * time for the start of the reply.\r
0fa9ca5b 599 */ \r
600 overflow = 1;\r
601 \r
602 if(frame_pos > 0) {\r
603 /* Have a frame, do something with it */\r
604#if DEBUG_FRAME_CONTENTS\r
605 ((char*)BigBuf)[i++] = frame_pos;\r
606 memcpy( ((char*)BigBuf)+i, frame, 7);\r
607 i+=7;\r
608 i = i % sizeof(BigBuf);\r
609#endif\r
610 hitag_handle_frame(t0, frame_pos, frame);\r
611 memset(frame, 0, sizeof(frame));\r
612 }\r
613 frame_pos = 0;\r
614\r
615 }\r
616 LED_D_OFF();\r
617 }\r
618 }\r
619 DbpString("All done");\r
620}\r
621\r
622static void hitag_send_bit(int t0, int bit) {\r
623 if(bit == 1) {\r
624 /* Manchester: Loaded, then unloaded */\r
625 LED_A_ON();\r
626 SHORT_COIL();\r
6949aca9 627 while(AT91C_BASE_TC1->TC_CV < t0*15);\r
0fa9ca5b 628 OPEN_COIL();\r
6949aca9 629 while(AT91C_BASE_TC1->TC_CV < t0*31);\r
0fa9ca5b 630 LED_A_OFF();\r
631 } else if(bit == 0) {\r
632 /* Manchester: Unloaded, then loaded */\r
633 LED_B_ON();\r
634 OPEN_COIL();\r
6949aca9 635 while(AT91C_BASE_TC1->TC_CV < t0*15);\r
0fa9ca5b 636 SHORT_COIL();\r
6949aca9 637 while(AT91C_BASE_TC1->TC_CV < t0*31);\r
0fa9ca5b 638 LED_B_OFF();\r
639 }\r
6949aca9 640 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG; /* Reset clock for the next bit */\r
0fa9ca5b 641 \r
642}\r
643static void hitag_send_frame(int t0, int frame_len, const char const * frame, int fdt)\r
644{\r
645 OPEN_COIL();\r
6949aca9 646 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;\r
0fa9ca5b 647 \r
648 /* Wait for HITAG_T_WRESP carrier periods after the last reader bit,\r
649 * not that since the clock counts since the rising edge, but T_wresp is\r
650 * with respect to the falling edge, we need to wait actually (T_wresp - T_g)\r
6949aca9 651 * periods. The gap time T_g varies (4..10).\r
0fa9ca5b 652 */\r
6949aca9 653 while(AT91C_BASE_TC1->TC_CV < t0*(fdt-8));\r
0fa9ca5b 654\r
6949aca9 655 int saved_cmr = AT91C_BASE_TC1->TC_CMR;\r
656 AT91C_BASE_TC1->TC_CMR &= ~AT91C_TC_ETRGEDG; /* Disable external trigger for the clock */\r
657 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG; /* Reset the clock and use it for response timing */\r
0fa9ca5b 658 \r
659 int i;\r
660 for(i=0; i<5; i++)\r
661 hitag_send_bit(t0, 1); /* Start of frame */\r
662 \r
663 for(i=0; i<frame_len; i++) {\r
664 hitag_send_bit(t0, !!(frame[i/ 8] & (1<<( 7-(i%8) ))) );\r
665 }\r
666 \r
667 OPEN_COIL();\r
6949aca9 668 AT91C_BASE_TC1->TC_CMR = saved_cmr;\r
0fa9ca5b 669}\r
670\r
671/* Callback structure to cleanly separate tag emulation code from the radio layer. */\r
672static int hitag_cb(const char* response_data, const int response_length, const int fdt, void *cb_cookie)\r
673{\r
674 hitag_send_frame(*(int*)cb_cookie, response_length, response_data, fdt);\r
675 return 0;\r
676}\r
677/* Frame length in bits, frame contents in MSBit first format */\r
678static void hitag_handle_frame(int t0, int frame_len, char *frame)\r
679{\r
680 hitag2_handle_command(frame, frame_len, hitag_cb, &t0);\r
681}\r
682\r
9bea179a 683// compose fc/8 fc/10 waveform\r
684static void fc(int c, int *n) {\r
685 BYTE *dest = (BYTE *)BigBuf;\r
686 int idx;\r
687\r
688 // for when we want an fc8 pattern every 4 logical bits\r
689 if(c==0) {\r
690 dest[((*n)++)]=1;\r
691 dest[((*n)++)]=1;\r
692 dest[((*n)++)]=0;\r
693 dest[((*n)++)]=0;\r
694 dest[((*n)++)]=0;\r
695 dest[((*n)++)]=0;\r
696 dest[((*n)++)]=0;\r
697 dest[((*n)++)]=0;\r
698 }\r
699 // an fc/8 encoded bit is a bit pattern of 11000000 x6 = 48 samples\r
700 if(c==8) {\r
701 for (idx=0; idx<6; idx++) {\r
702 dest[((*n)++)]=1;\r
703 dest[((*n)++)]=1;\r
704 dest[((*n)++)]=0;\r
705 dest[((*n)++)]=0;\r
706 dest[((*n)++)]=0;\r
707 dest[((*n)++)]=0;\r
708 dest[((*n)++)]=0;\r
709 dest[((*n)++)]=0;\r
710 }\r
711 }\r
712\r
713 // an fc/10 encoded bit is a bit pattern of 1110000000 x5 = 50 samples\r
714 if(c==10) {\r
715 for (idx=0; idx<5; idx++) {\r
716 dest[((*n)++)]=1;\r
717 dest[((*n)++)]=1;\r
718 dest[((*n)++)]=1;\r
719 dest[((*n)++)]=0;\r
720 dest[((*n)++)]=0;\r
721 dest[((*n)++)]=0;\r
722 dest[((*n)++)]=0;\r
723 dest[((*n)++)]=0;\r
724 dest[((*n)++)]=0;\r
725 dest[((*n)++)]=0;\r
726 }\r
727 }\r
728}\r
729\r
730// prepare a waveform pattern in the buffer based on the ID given then\r
731// simulate a HID tag until the button is pressed\r
732void CmdHIDsimTAG(int hi, int lo, int ledcontrol)\r
733{\r
734 int n=0, i=0;\r
735 /*\r
736 HID tag bitstream format\r
737 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits\r
738 A 1 bit is represented as 6 fc8 and 5 fc10 patterns\r
739 A 0 bit is represented as 5 fc10 and 6 fc8 patterns\r
740 A fc8 is inserted before every 4 bits\r
741 A special start of frame pattern is used consisting a0b0 where a and b are neither 0\r
742 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)\r
743 */\r
744\r
745 if (hi>0xFFF) {\r
746 DbpString("Tags can only have 44 bits.");\r
747 return;\r
748 }\r
749 fc(0,&n);\r
750 // special start of frame marker containing invalid bit sequences\r
751 fc(8, &n); fc(8, &n); // invalid\r
752 fc(8, &n); fc(10, &n); // logical 0\r
753 fc(10, &n); fc(10, &n); // invalid\r
754 fc(8, &n); fc(10, &n); // logical 0\r
755\r
756 WDT_HIT();\r
757 // manchester encode bits 43 to 32\r
758 for (i=11; i>=0; i--) {\r
759 if ((i%4)==3) fc(0,&n);\r
760 if ((hi>>i)&1) {\r
761 fc(10, &n); fc(8, &n); // low-high transition\r
762 } else {\r
763 fc(8, &n); fc(10, &n); // high-low transition\r
764 }\r
765 }\r
766\r
767 WDT_HIT();\r
768 // manchester encode bits 31 to 0\r
769 for (i=31; i>=0; i--) {\r
770 if ((i%4)==3) fc(0,&n);\r
771 if ((lo>>i)&1) {\r
772 fc(10, &n); fc(8, &n); // low-high transition\r
773 } else {\r
774 fc(8, &n); fc(10, &n); // high-low transition\r
775 }\r
776 }\r
777\r
778 if (ledcontrol)\r
779 LED_A_ON();\r
780 SimulateTagLowFrequency(n, ledcontrol);\r
781\r
782 if (ledcontrol)\r
783 LED_A_OFF();\r
784}\r
785\r
786\r
787// loop to capture raw HID waveform then FSK demodulate the TAG ID from it\r
788void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)\r
789{\r
790 BYTE *dest = (BYTE *)BigBuf;\r
791 int m=0, n=0, i=0, idx=0, found=0, lastval=0;\r
792 DWORD hi=0, lo=0;\r
793\r
794 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz\r
795 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);\r
796\r
797 // Connect the A/D to the peak-detected low-frequency path.\r
798 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);\r
799\r
800 // Give it a bit of time for the resonant antenna to settle.\r
801 SpinDelay(50);\r
802\r
803 // Now set up the SSC to get the ADC samples that are now streaming at us.\r
804 FpgaSetupSsc();\r
805\r
806 for(;;) {\r
807 WDT_HIT();\r
808 if (ledcontrol)\r
809 LED_A_ON();\r
810 if(BUTTON_PRESS()) {\r
811 DbpString("Stopped");\r
812 if (ledcontrol)\r
813 LED_A_OFF();\r
814 return;\r
815 }\r
816\r
817 i = 0;\r
818 m = sizeof(BigBuf);\r
819 memset(dest,128,m);\r
820 for(;;) {\r
6949aca9 821 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {\r
822 AT91C_BASE_SSC->SSC_THR = 0x43;\r
9bea179a 823 if (ledcontrol)\r
824 LED_D_ON();\r
825 }\r
6949aca9 826 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {\r
827 dest[i] = (BYTE)AT91C_BASE_SSC->SSC_RHR;\r
9bea179a 828 // we don't care about actual value, only if it's more or less than a\r
829 // threshold essentially we capture zero crossings for later analysis\r
830 if(dest[i] < 127) dest[i] = 0; else dest[i] = 1;\r
831 i++;\r
832 if (ledcontrol)\r
833 LED_D_OFF();\r
834 if(i >= m) {\r
835 break;\r
836 }\r
837 }\r
838 }\r
839\r
840 // FSK demodulator\r
841\r
842 // sync to first lo-hi transition\r
843 for( idx=1; idx<m; idx++) {\r
844 if (dest[idx-1]<dest[idx])\r
845 lastval=idx;\r
846 break;\r
847 }\r
848 WDT_HIT();\r
849\r
850 // count cycles between consecutive lo-hi transitions, there should be either 8 (fc/8)\r
851 // or 10 (fc/10) cycles but in practice due to noise etc we may end up with with anywhere\r
852 // between 7 to 11 cycles so fuzz it by treat anything <9 as 8 and anything else as 10\r
853 for( i=0; idx<m; idx++) {\r
854 if (dest[idx-1]<dest[idx]) {\r
855 dest[i]=idx-lastval;\r
856 if (dest[i] <= 8) {\r
857 dest[i]=1;\r
858 } else {\r
859 dest[i]=0;\r
860 }\r
861\r
862 lastval=idx;\r
863 i++;\r
864 }\r
865 }\r
866 m=i;\r
867 WDT_HIT();\r
868\r
869 // we now have a set of cycle counts, loop over previous results and aggregate data into bit patterns\r
870 lastval=dest[0];\r
871 idx=0;\r
872 i=0;\r
873 n=0;\r
874 for( idx=0; idx<m; idx++) {\r
875 if (dest[idx]==lastval) {\r
876 n++;\r
877 } else {\r
878 // a bit time is five fc/10 or six fc/8 cycles so figure out how many bits a pattern width represents,\r
879 // an extra fc/8 pattern preceeds every 4 bits (about 200 cycles) just to complicate things but it gets\r
880 // swallowed up by rounding\r
881 // expected results are 1 or 2 bits, any more and it's an invalid manchester encoding\r
882 // special start of frame markers use invalid manchester states (no transitions) by using sequences\r
883 // like 111000\r
884 if (dest[idx-1]) {\r
885 n=(n+1)/6; // fc/8 in sets of 6\r
886 } else {\r
887 n=(n+1)/5; // fc/10 in sets of 5\r
888 }\r
889 switch (n) { // stuff appropriate bits in buffer\r
890 case 0:\r
891 case 1: // one bit\r
892 dest[i++]=dest[idx-1];\r
893 break;\r
894 case 2: // two bits\r
895 dest[i++]=dest[idx-1];\r
896 dest[i++]=dest[idx-1];\r
897 break;\r
898 case 3: // 3 bit start of frame markers\r
899 dest[i++]=dest[idx-1];\r
900 dest[i++]=dest[idx-1];\r
901 dest[i++]=dest[idx-1];\r
902 break;\r
903 // When a logic 0 is immediately followed by the start of the next transmisson\r
904 // (special pattern) a pattern of 4 bit duration lengths is created.\r
905 case 4:\r
906 dest[i++]=dest[idx-1];\r
907 dest[i++]=dest[idx-1];\r
908 dest[i++]=dest[idx-1];\r
909 dest[i++]=dest[idx-1];\r
910 break;\r
911 default: // this shouldn't happen, don't stuff any bits\r
912 break;\r
913 }\r
914 n=0;\r
915 lastval=dest[idx];\r
916 }\r
917 }\r
918 m=i;\r
919 WDT_HIT();\r
920\r
921 // final loop, go over previously decoded manchester data and decode into usable tag ID\r
922 // 111000 bit pattern represent start of frame, 01 pattern represents a 1 and 10 represents a 0\r
923 for( idx=0; idx<m-6; idx++) {\r
924 // search for a start of frame marker\r
925 if ( dest[idx] && dest[idx+1] && dest[idx+2] && (!dest[idx+3]) && (!dest[idx+4]) && (!dest[idx+5]) )\r
926 {\r
927 found=1;\r
928 idx+=6;\r
929 if (found && (hi|lo)) {\r
6f5cb60c 930 char output_string[64];\r
931 sprintf(output_string, "TAG ID: %x %x %x", \r
932 (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);\r
933 DbpString(output_string);\r
9bea179a 934 /* if we're only looking for one tag */\r
935 if (findone)\r
936 {\r
937 *high = hi;\r
938 *low = lo;\r
939 return;\r
940 }\r
941 hi=0;\r
942 lo=0;\r
943 found=0;\r
944 }\r
945 }\r
946 if (found) {\r
947 if (dest[idx] && (!dest[idx+1]) ) {\r
948 hi=(hi<<1)|(lo>>31);\r
949 lo=(lo<<1)|0;\r
950 } else if ( (!dest[idx]) && dest[idx+1]) {\r
951 hi=(hi<<1)|(lo>>31);\r
952 lo=(lo<<1)|1;\r
953 } else {\r
954 found=0;\r
955 hi=0;\r
956 lo=0;\r
957 }\r
958 idx++;\r
959 }\r
960 if ( dest[idx] && dest[idx+1] && dest[idx+2] && (!dest[idx+3]) && (!dest[idx+4]) && (!dest[idx+5]) )\r
961 {\r
962 found=1;\r
963 idx+=6;\r
964 if (found && (hi|lo)) {\r
6f5cb60c 965 char output_string[64];\r
966 sprintf(output_string, "TAG ID: %x %x %x", \r
967 (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);\r
968 DbpString(output_string);\r
9bea179a 969 /* if we're only looking for one tag */\r
970 if (findone)\r
971 {\r
972 *high = hi;\r
973 *low = lo;\r
974 return;\r
975 }\r
976 hi=0;\r
977 lo=0;\r
978 found=0;\r
979 }\r
980 }\r
981 }\r
982 WDT_HIT();\r
983 }\r
984}\r
Proxmark3 GIT tracking
Impressum, Datenschutz