]> cvs.zerfleddert.de Git - proxmark3-svn/blame - fpga/hi_simulate.v
PCF7931: improved read code and implemented a simple password bruteforce (#745)
[proxmark3-svn] / fpga / hi_simulate.v
CommitLineData
ba06a4b6 1//-----------------------------------------------------------------------------
2// Pretend to be an ISO 14443 tag. We will do this by alternately short-
3// circuiting and open-circuiting the antenna coil, with the tri-state
4// pins.
5//
6// We communicate over the SSP, as a bitstream (i.e., might as well be
7// unframed, though we still generate the word sync signal). The output
8// (ARM -> FPGA) tells us whether to modulate or not. The input (FPGA
9// -> ARM) is us using the A/D as a fancy comparator; this is with
10// (software-added) hysteresis, to undo the high-pass filter.
11//
12// At this point only Type A is implemented. This means that we are using a
13// bit rate of 106 kbit/s, or fc/128. Oversample by 4, which ought to make
14// things practical for the ARM (fc/32, 423.8 kbits/s, ~50 kbytes/s)
15//
16// Jonathan Westhues, October 2006
17//-----------------------------------------------------------------------------
18
8c6cca0b 19// possible mod_types:
20`define NO_MODULATION 3'b000
21`define MODULATE_BPSK 3'b001
22`define MODULATE_212K 3'b010
23`define MODULATE_424K 3'b100
24`define MODULATE_424K_8BIT 3'b101
25
ba06a4b6 26module hi_simulate(
27 pck0, ck_1356meg, ck_1356megb,
28 pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4,
29 adc_d, adc_clk,
30 ssp_frame, ssp_din, ssp_dout, ssp_clk,
31 cross_hi, cross_lo,
32 dbg,
33 mod_type
34);
35 input pck0, ck_1356meg, ck_1356megb;
36 output pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4;
37 input [7:0] adc_d;
38 output adc_clk;
39 input ssp_dout;
40 output ssp_frame, ssp_din, ssp_clk;
41 input cross_hi, cross_lo;
42 output dbg;
43 input [2:0] mod_type;
44
ba06a4b6 45
46// The comparator with hysteresis on the output from the peak detector.
47reg after_hysteresis;
48assign adc_clk = ck_1356meg;
49
50always @(negedge adc_clk)
51begin
52 if(& adc_d[7:5]) after_hysteresis = 1'b1;
53 else if(~(| adc_d[7:5])) after_hysteresis = 1'b0;
54end
55
645c960f 56
1b902aa0 57// Divide 13.56 MHz to produce various frequencies for SSP_CLK
8c6cca0b 58// and modulation.
59reg [7:0] ssp_clk_divider;
645c960f 60
ba06a4b6 61always @(posedge adc_clk)
62 ssp_clk_divider <= (ssp_clk_divider + 1);
645c960f
MHS
63
64reg ssp_clk;
1b902aa0 65
645c960f
MHS
66always @(negedge adc_clk)
67begin
8c6cca0b 68 if(mod_type == `MODULATE_424K_8BIT)
1b902aa0
A
69 // Get bit every at 53KHz (every 8th carrier bit of 424kHz)
70 ssp_clk <= ssp_clk_divider[7];
8c6cca0b 71 else if(mod_type == `MODULATE_212K)
1b902aa0
A
72 // Get next bit at 212kHz
73 ssp_clk <= ssp_clk_divider[5];
645c960f 74 else
1b902aa0
A
75 // Get next bit at 424Khz
76 ssp_clk <= ssp_clk_divider[4];
645c960f
MHS
77end
78
79
ba06a4b6 80// Divide SSP_CLK by 8 to produce the byte framing signal; the phase of
81// this is arbitrary, because it's just a bitstream.
82// One nasty issue, though: I can't make it work with both rx and tx at
83// once. The phase wrt ssp_clk must be changed. TODO to find out why
84// that is and make a better fix.
85reg [2:0] ssp_frame_divider_to_arm;
86always @(posedge ssp_clk)
87 ssp_frame_divider_to_arm <= (ssp_frame_divider_to_arm + 1);
88reg [2:0] ssp_frame_divider_from_arm;
89always @(negedge ssp_clk)
90 ssp_frame_divider_from_arm <= (ssp_frame_divider_from_arm + 1);
91
645c960f 92
1b902aa0 93reg ssp_frame;
ba06a4b6 94always @(ssp_frame_divider_to_arm or ssp_frame_divider_from_arm or mod_type)
8c6cca0b 95 if(mod_type == `NO_MODULATION) // not modulating, so listening, to ARM
ba06a4b6 96 ssp_frame = (ssp_frame_divider_to_arm == 3'b000);
97 else
1b902aa0 98 ssp_frame = (ssp_frame_divider_from_arm == 3'b000);
ba06a4b6 99
100// Synchronize up the after-hysteresis signal, to produce DIN.
101reg ssp_din;
102always @(posedge ssp_clk)
103 ssp_din = after_hysteresis;
104
1b902aa0 105// Modulating carrier frequency is fc/64 (212kHz) to fc/16 (848kHz). Reuse ssp_clk divider for that.
ba06a4b6 106reg modulating_carrier;
107always @(mod_type or ssp_clk or ssp_dout)
8c6cca0b 108 if (mod_type == `NO_MODULATION)
ba06a4b6 109 modulating_carrier <= 1'b0; // no modulation
8c6cca0b 110 else if (mod_type == `MODULATE_BPSK)
ba06a4b6 111 modulating_carrier <= ssp_dout ^ ssp_clk_divider[3]; // XOR means BPSK
8c6cca0b 112 else if (mod_type == `MODULATE_212K)
1b902aa0 113 modulating_carrier <= ssp_dout & ssp_clk_divider[5]; // switch 212kHz subcarrier on/off
8c6cca0b 114 else if (mod_type == `MODULATE_424K || mod_type == `MODULATE_424K_8BIT)
1b902aa0 115 modulating_carrier <= ssp_dout & ssp_clk_divider[4]; // switch 424kHz modulation on/off
ba06a4b6 116 else
117 modulating_carrier <= 1'b0; // yet unused
118
ba06a4b6 119
8c6cca0b 120// Load modulation. Toggle only one of these, since we are already producing much deeper
ba06a4b6 121// modulation than a real tag would.
8c6cca0b 122assign pwr_hi = 1'b0; // HF antenna connected to GND
123assign pwr_oe3 = 1'b0; // 10k Load
124assign pwr_oe1 = modulating_carrier; // 33 Ohms Load
125assign pwr_oe4 = modulating_carrier; // 33 Ohms Load
126
127// This is all LF and doesn't matter
128assign pwr_lo = 1'b0;
129assign pwr_oe2 = 1'b0;
ba06a4b6 130
ba06a4b6 131
1b902aa0 132assign dbg = ssp_din;
ba06a4b6 133
134endmodule
Impressum, Datenschutz