]>
Commit | Line | Data |
---|---|---|
1 | //----------------------------------------------------------------------------- | |
2 | // Jonathan Westhues, April 2006 | |
3 | // iZsh <izsh at fail0verflow.com>, 2014 | |
4 | // | |
5 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
6 | // at your option, any later version. See the LICENSE.txt file for the text of | |
7 | // the license. | |
8 | //----------------------------------------------------------------------------- | |
9 | // Routines to load the FPGA image, and then to configure the FPGA's major | |
10 | // mode once it is configured. | |
11 | //----------------------------------------------------------------------------- | |
12 | ||
13 | #include "../include/proxmark3.h" | |
14 | #include "apps.h" | |
15 | #include "util.h" | |
16 | #include "string.h" | |
17 | ||
18 | //----------------------------------------------------------------------------- | |
19 | // Set up the Serial Peripheral Interface as master | |
20 | // Used to write the FPGA config word | |
21 | // May also be used to write to other SPI attached devices like an LCD | |
22 | //----------------------------------------------------------------------------- | |
23 | void SetupSpi(int mode) | |
24 | { | |
25 | // PA10 -> SPI_NCS2 chip select (LCD) | |
26 | // PA11 -> SPI_NCS0 chip select (FPGA) | |
27 | // PA12 -> SPI_MISO Master-In Slave-Out | |
28 | // PA13 -> SPI_MOSI Master-Out Slave-In | |
29 | // PA14 -> SPI_SPCK Serial Clock | |
30 | ||
31 | // Disable PIO control of the following pins, allows use by the SPI peripheral | |
32 | AT91C_BASE_PIOA->PIO_PDR = | |
33 | GPIO_NCS0 | | |
34 | GPIO_NCS2 | | |
35 | GPIO_MISO | | |
36 | GPIO_MOSI | | |
37 | GPIO_SPCK; | |
38 | ||
39 | AT91C_BASE_PIOA->PIO_ASR = | |
40 | GPIO_NCS0 | | |
41 | GPIO_MISO | | |
42 | GPIO_MOSI | | |
43 | GPIO_SPCK; | |
44 | ||
45 | AT91C_BASE_PIOA->PIO_BSR = GPIO_NCS2; | |
46 | ||
47 | //enable the SPI Peripheral clock | |
48 | AT91C_BASE_PMC->PMC_PCER = (1<<AT91C_ID_SPI); | |
49 | // Enable SPI | |
50 | AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SPIEN; | |
51 | ||
52 | switch (mode) { | |
53 | case SPI_FPGA_MODE: | |
54 | AT91C_BASE_SPI->SPI_MR = | |
55 | ( 0 << 24) | // Delay between chip selects (take default: 6 MCK periods) | |
56 | (14 << 16) | // Peripheral Chip Select (selects FPGA SPI_NCS0 or PA11) | |
57 | ( 0 << 7) | // Local Loopback Disabled | |
58 | ( 1 << 4) | // Mode Fault Detection disabled | |
59 | ( 0 << 2) | // Chip selects connected directly to peripheral | |
60 | ( 0 << 1) | // Fixed Peripheral Select | |
61 | ( 1 << 0); // Master Mode | |
62 | AT91C_BASE_SPI->SPI_CSR[0] = | |
63 | ( 1 << 24) | // Delay between Consecutive Transfers (32 MCK periods) | |
64 | ( 1 << 16) | // Delay Before SPCK (1 MCK period) | |
65 | ( 6 << 8) | // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud | |
66 | ( 8 << 4) | // Bits per Transfer (16 bits) | |
67 | ( 0 << 3) | // Chip Select inactive after transfer | |
68 | ( 1 << 1) | // Clock Phase data captured on leading edge, changes on following edge | |
69 | ( 0 << 0); // Clock Polarity inactive state is logic 0 | |
70 | break; | |
71 | case SPI_LCD_MODE: | |
72 | AT91C_BASE_SPI->SPI_MR = | |
73 | ( 0 << 24) | // Delay between chip selects (take default: 6 MCK periods) | |
74 | (11 << 16) | // Peripheral Chip Select (selects LCD SPI_NCS2 or PA10) | |
75 | ( 0 << 7) | // Local Loopback Disabled | |
76 | ( 1 << 4) | // Mode Fault Detection disabled | |
77 | ( 0 << 2) | // Chip selects connected directly to peripheral | |
78 | ( 0 << 1) | // Fixed Peripheral Select | |
79 | ( 1 << 0); // Master Mode | |
80 | AT91C_BASE_SPI->SPI_CSR[2] = | |
81 | ( 1 << 24) | // Delay between Consecutive Transfers (32 MCK periods) | |
82 | ( 1 << 16) | // Delay Before SPCK (1 MCK period) | |
83 | ( 6 << 8) | // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud | |
84 | ( 1 << 4) | // Bits per Transfer (9 bits) | |
85 | ( 0 << 3) | // Chip Select inactive after transfer | |
86 | ( 1 << 1) | // Clock Phase data captured on leading edge, changes on following edge | |
87 | ( 0 << 0); // Clock Polarity inactive state is logic 0 | |
88 | break; | |
89 | default: // Disable SPI | |
90 | AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SPIDIS; | |
91 | break; | |
92 | } | |
93 | } | |
94 | ||
95 | //----------------------------------------------------------------------------- | |
96 | // Set up the synchronous serial port, with the one set of options that we | |
97 | // always use when we are talking to the FPGA. Both RX and TX are enabled. | |
98 | //----------------------------------------------------------------------------- | |
99 | void FpgaSetupSsc(void) | |
100 | { | |
101 | // First configure the GPIOs, and get ourselves a clock. | |
102 | AT91C_BASE_PIOA->PIO_ASR = | |
103 | GPIO_SSC_FRAME | | |
104 | GPIO_SSC_DIN | | |
105 | GPIO_SSC_DOUT | | |
106 | GPIO_SSC_CLK; | |
107 | AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT; | |
108 | ||
109 | AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_SSC); | |
110 | ||
111 | // Now set up the SSC proper, starting from a known state. | |
112 | AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST; | |
113 | ||
114 | // RX clock comes from TX clock, RX starts when TX starts, data changes | |
115 | // on RX clock rising edge, sampled on falling edge | |
116 | AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(1) | SSC_CLOCK_MODE_START(1); | |
117 | ||
118 | // 8 bits per transfer, no loopback, MSB first, 1 transfer per sync | |
119 | // pulse, no output sync | |
120 | AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0); | |
121 | ||
122 | // clock comes from TK pin, no clock output, outputs change on falling | |
123 | // edge of TK, sample on rising edge of TK, start on positive-going edge of sync | |
124 | AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) | SSC_CLOCK_MODE_START(5); | |
125 | ||
126 | // tx framing is the same as the rx framing | |
127 | AT91C_BASE_SSC->SSC_TFMR = AT91C_BASE_SSC->SSC_RFMR; | |
128 | ||
129 | AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN; | |
130 | } | |
131 | ||
132 | //----------------------------------------------------------------------------- | |
133 | // Set up DMA to receive samples from the FPGA. We will use the PDC, with | |
134 | // a single buffer as a circular buffer (so that we just chain back to | |
135 | // ourselves, not to another buffer). The stuff to manipulate those buffers | |
136 | // is in apps.h, because it should be inlined, for speed. | |
137 | //----------------------------------------------------------------------------- | |
138 | bool FpgaSetupSscDma(uint8_t *buf, int len) | |
139 | { | |
140 | if (buf == NULL) { | |
141 | return false; | |
142 | } | |
143 | ||
144 | AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; // Disable DMA Transfer | |
145 | AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf; // transfer to this memory address | |
146 | AT91C_BASE_PDC_SSC->PDC_RCR = len; // transfer this many bytes | |
147 | AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf; // next transfer to same memory address | |
148 | AT91C_BASE_PDC_SSC->PDC_RNCR = len; // ... with same number of bytes | |
149 | AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN; // go! | |
150 | ||
151 | return true; | |
152 | } | |
153 | ||
154 | static void DownloadFPGA_byte(unsigned char w) | |
155 | { | |
156 | #define SEND_BIT(x) { if(w & (1<<x) ) HIGH(GPIO_FPGA_DIN); else LOW(GPIO_FPGA_DIN); HIGH(GPIO_FPGA_CCLK); LOW(GPIO_FPGA_CCLK); } | |
157 | SEND_BIT(7); | |
158 | SEND_BIT(6); | |
159 | SEND_BIT(5); | |
160 | SEND_BIT(4); | |
161 | SEND_BIT(3); | |
162 | SEND_BIT(2); | |
163 | SEND_BIT(1); | |
164 | SEND_BIT(0); | |
165 | } | |
166 | ||
167 | // Download the fpga image starting at FpgaImage and with length FpgaImageLen bytes | |
168 | // If bytereversal is set: reverse the byte order in each 4-byte word | |
169 | static void DownloadFPGA(const char *FpgaImage, int FpgaImageLen, int bytereversal) | |
170 | { | |
171 | int i=0; | |
172 | ||
173 | AT91C_BASE_PIOA->PIO_OER = GPIO_FPGA_ON; | |
174 | AT91C_BASE_PIOA->PIO_PER = GPIO_FPGA_ON; | |
175 | HIGH(GPIO_FPGA_ON); // ensure everything is powered on | |
176 | ||
177 | SpinDelay(50); | |
178 | ||
179 | LED_D_ON(); | |
180 | ||
181 | // These pins are inputs | |
182 | AT91C_BASE_PIOA->PIO_ODR = | |
183 | GPIO_FPGA_NINIT | | |
184 | GPIO_FPGA_DONE; | |
185 | // PIO controls the following pins | |
186 | AT91C_BASE_PIOA->PIO_PER = | |
187 | GPIO_FPGA_NINIT | | |
188 | GPIO_FPGA_DONE; | |
189 | // Enable pull-ups | |
190 | AT91C_BASE_PIOA->PIO_PPUER = | |
191 | GPIO_FPGA_NINIT | | |
192 | GPIO_FPGA_DONE; | |
193 | ||
194 | // setup initial logic state | |
195 | HIGH(GPIO_FPGA_NPROGRAM); | |
196 | LOW(GPIO_FPGA_CCLK); | |
197 | LOW(GPIO_FPGA_DIN); | |
198 | // These pins are outputs | |
199 | AT91C_BASE_PIOA->PIO_OER = | |
200 | GPIO_FPGA_NPROGRAM | | |
201 | GPIO_FPGA_CCLK | | |
202 | GPIO_FPGA_DIN; | |
203 | ||
204 | // enter FPGA configuration mode | |
205 | LOW(GPIO_FPGA_NPROGRAM); | |
206 | SpinDelay(50); | |
207 | HIGH(GPIO_FPGA_NPROGRAM); | |
208 | ||
209 | i=100000; | |
210 | // wait for FPGA ready to accept data signal | |
211 | while ((i) && ( !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_FPGA_NINIT ) ) ) { | |
212 | i--; | |
213 | } | |
214 | ||
215 | // crude error indicator, leave both red LEDs on and return | |
216 | if (i==0){ | |
217 | LED_C_ON(); | |
218 | LED_D_ON(); | |
219 | return; | |
220 | } | |
221 | ||
222 | if(bytereversal) { | |
223 | /* This is only supported for uint32_t aligned images */ | |
224 | if( ((int)FpgaImage % sizeof(uint32_t)) == 0 ) { | |
225 | i=0; | |
226 | while(FpgaImageLen-->0) | |
227 | DownloadFPGA_byte(FpgaImage[(i++)^0x3]); | |
228 | /* Explanation of the magic in the above line: | |
229 | * i^0x3 inverts the lower two bits of the integer i, counting backwards | |
230 | * for each 4 byte increment. The generated sequence of (i++)^3 is | |
231 | * 3 2 1 0 7 6 5 4 11 10 9 8 15 14 13 12 etc. pp. | |
232 | */ | |
233 | } | |
234 | } else { | |
235 | while(FpgaImageLen-->0) | |
236 | DownloadFPGA_byte(*FpgaImage++); | |
237 | } | |
238 | ||
239 | // continue to clock FPGA until ready signal goes high | |
240 | i=100000; | |
241 | while ( (i--) && ( !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_FPGA_DONE ) ) ) { | |
242 | HIGH(GPIO_FPGA_CCLK); | |
243 | LOW(GPIO_FPGA_CCLK); | |
244 | } | |
245 | // crude error indicator, leave both red LEDs on and return | |
246 | if (i==0){ | |
247 | LED_C_ON(); | |
248 | LED_D_ON(); | |
249 | return; | |
250 | } | |
251 | LED_D_OFF(); | |
252 | } | |
253 | ||
254 | static char *bitparse_headers_start; | |
255 | static char *bitparse_bitstream_end; | |
256 | static int bitparse_initialized = 0; | |
257 | /* Simple Xilinx .bit parser. The file starts with the fixed opaque byte sequence | |
258 | * 00 09 0f f0 0f f0 0f f0 0f f0 00 00 01 | |
259 | * After that the format is 1 byte section type (ASCII character), 2 byte length | |
260 | * (big endian), <length> bytes content. Except for section 'e' which has 4 bytes | |
261 | * length. | |
262 | */ | |
263 | static const char _bitparse_fixed_header[] = {0x00, 0x09, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x00, 0x00, 0x01}; | |
264 | static int bitparse_init(void * start_address, void *end_address) | |
265 | { | |
266 | bitparse_initialized = 0; | |
267 | ||
268 | if(memcmp(_bitparse_fixed_header, start_address, sizeof(_bitparse_fixed_header)) != 0) { | |
269 | return 0; /* Not matched */ | |
270 | } else { | |
271 | bitparse_headers_start= ((char*)start_address) + sizeof(_bitparse_fixed_header); | |
272 | bitparse_bitstream_end= (char*)end_address; | |
273 | bitparse_initialized = 1; | |
274 | return 1; | |
275 | } | |
276 | } | |
277 | ||
278 | int bitparse_find_section(char section_name, char **section_start, unsigned int *section_length) | |
279 | { | |
280 | char *pos = bitparse_headers_start; | |
281 | int result = 0; | |
282 | ||
283 | if(!bitparse_initialized) return 0; | |
284 | ||
285 | while(pos < bitparse_bitstream_end) { | |
286 | char current_name = *pos++; | |
287 | unsigned int current_length = 0; | |
288 | if(current_name < 'a' || current_name > 'e') { | |
289 | /* Strange section name, abort */ | |
290 | break; | |
291 | } | |
292 | current_length = 0; | |
293 | switch(current_name) { | |
294 | case 'e': | |
295 | /* Four byte length field */ | |
296 | current_length += (*pos++) << 24; | |
297 | current_length += (*pos++) << 16; | |
298 | default: /* Fall through, two byte length field */ | |
299 | current_length += (*pos++) << 8; | |
300 | current_length += (*pos++) << 0; | |
301 | } | |
302 | ||
303 | if(current_name != 'e' && current_length > 255) { | |
304 | /* Maybe a parse error */ | |
305 | break; | |
306 | } | |
307 | ||
308 | if(current_name == section_name) { | |
309 | /* Found it */ | |
310 | *section_start = pos; | |
311 | *section_length = current_length; | |
312 | result = 1; | |
313 | break; | |
314 | } | |
315 | ||
316 | pos += current_length; /* Skip section */ | |
317 | } | |
318 | ||
319 | return result; | |
320 | } | |
321 | ||
322 | //----------------------------------------------------------------------------- | |
323 | // Find out which FPGA image format is stored in flash, then call DownloadFPGA | |
324 | // with the right parameters to download the image | |
325 | //----------------------------------------------------------------------------- | |
326 | extern char _binary_fpga_lf_bit_start, _binary_fpga_lf_bit_end; | |
327 | extern char _binary_fpga_hf_bit_start, _binary_fpga_hf_bit_end; | |
328 | void FpgaDownloadAndGo(int bitstream_version) | |
329 | { | |
330 | void *bit_start; | |
331 | void *bit_end; | |
332 | ||
333 | // check whether or not the bitstream is already loaded | |
334 | if (FpgaGatherBitstreamVersion() == bitstream_version) | |
335 | return; | |
336 | ||
337 | if (bitstream_version == FPGA_BITSTREAM_LF) { | |
338 | bit_start = &_binary_fpga_lf_bit_start; | |
339 | bit_end = &_binary_fpga_lf_bit_end; | |
340 | } else if (bitstream_version == FPGA_BITSTREAM_HF) { | |
341 | bit_start = &_binary_fpga_hf_bit_start; | |
342 | bit_end = &_binary_fpga_hf_bit_end; | |
343 | } else | |
344 | return; | |
345 | /* Check for the new flash image format: Should have the .bit file at &_binary_fpga_bit_start | |
346 | */ | |
347 | if(bitparse_init(bit_start, bit_end)) { | |
348 | /* Successfully initialized the .bit parser. Find the 'e' section and | |
349 | * send its contents to the FPGA. | |
350 | */ | |
351 | char *bitstream_start; | |
352 | unsigned int bitstream_length; | |
353 | if(bitparse_find_section('e', &bitstream_start, &bitstream_length)) { | |
354 | DownloadFPGA(bitstream_start, bitstream_length, 0); | |
355 | ||
356 | return; /* All done */ | |
357 | } | |
358 | } | |
359 | ||
360 | /* Fallback for the old flash image format: Check for the magic marker 0xFFFFFFFF | |
361 | * 0xAA995566 at address 0x102000. This is raw bitstream with a size of 336,768 bits | |
362 | * = 10,524 uint32_t, stored as uint32_t e.g. little-endian in memory, but each DWORD | |
363 | * is still to be transmitted in MSBit first order. Set the invert flag to indicate | |
364 | * that the DownloadFPGA function should invert every 4 byte sequence when doing | |
365 | * the bytewise download. | |
366 | */ | |
367 | if( *(uint32_t*)0x102000 == 0xFFFFFFFF && *(uint32_t*)0x102004 == 0xAA995566 ) | |
368 | DownloadFPGA((char*)0x102000, 10524*4, 1); | |
369 | } | |
370 | ||
371 | int FpgaGatherBitstreamVersion() | |
372 | { | |
373 | char temp[256]; | |
374 | FpgaGatherVersion(temp, sizeof (temp)); | |
375 | if (!memcmp("LF", temp, 2)) | |
376 | return FPGA_BITSTREAM_LF; | |
377 | else if (!memcmp("HF", temp, 2)) | |
378 | return FPGA_BITSTREAM_HF; | |
379 | return FPGA_BITSTREAM_ERR; | |
380 | } | |
381 | ||
382 | void FpgaGatherVersion(char *dst, int len) | |
383 | { | |
384 | char *fpga_info; | |
385 | unsigned int fpga_info_len; | |
386 | dst[0] = 0; | |
387 | if(!bitparse_find_section('e', &fpga_info, &fpga_info_len)) { | |
388 | strncat(dst, "FPGA image: legacy image without version information", len-1); | |
389 | } else { | |
390 | /* USB packets only have 48 bytes data payload, so be terse */ | |
391 | if(bitparse_find_section('a', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) { | |
392 | if (!memcmp("fpga_lf", fpga_info, 7)) | |
393 | strncat(dst, "LF ", len-1); | |
394 | else if (!memcmp("fpga_hf", fpga_info, 7)) | |
395 | strncat(dst, "HF ", len-1); | |
396 | } | |
397 | strncat(dst, "FPGA image built", len-1); | |
398 | #if 0 | |
399 | if(bitparse_find_section('b', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) { | |
400 | strncat(dst, " for ", len-1); | |
401 | strncat(dst, fpga_info, len-1); | |
402 | } | |
403 | #endif | |
404 | if(bitparse_find_section('c', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) { | |
405 | strncat(dst, " on ", len-1); | |
406 | strncat(dst, fpga_info, len-1); | |
407 | } | |
408 | if(bitparse_find_section('d', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) { | |
409 | strncat(dst, " at ", len-1); | |
410 | strncat(dst, fpga_info, len-1); | |
411 | } | |
412 | } | |
413 | } | |
414 | ||
415 | //----------------------------------------------------------------------------- | |
416 | // Send a 16 bit command/data pair to the FPGA. | |
417 | // The bit format is: C3 C2 C1 C0 D11 D10 D9 D8 D7 D6 D5 D4 D3 D2 D1 D0 | |
418 | // where C is the 4 bit command and D is the 12 bit data | |
419 | //----------------------------------------------------------------------------- | |
420 | void FpgaSendCommand(uint16_t cmd, uint16_t v) | |
421 | { | |
422 | SetupSpi(SPI_FPGA_MODE); | |
423 | while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0); // wait for the transfer to complete | |
424 | AT91C_BASE_SPI->SPI_TDR = AT91C_SPI_LASTXFER | cmd | v; // send the data | |
425 | } | |
426 | //----------------------------------------------------------------------------- | |
427 | // Write the FPGA setup word (that determines what mode the logic is in, read | |
428 | // vs. clone vs. etc.). This is now a special case of FpgaSendCommand() to | |
429 | // avoid changing this function's occurence everywhere in the source code. | |
430 | //----------------------------------------------------------------------------- | |
431 | void FpgaWriteConfWord(uint8_t v) | |
432 | { | |
433 | FpgaSendCommand(FPGA_CMD_SET_CONFREG, v); | |
434 | } | |
435 | ||
436 | //----------------------------------------------------------------------------- | |
437 | // Set up the CMOS switches that mux the ADC: four switches, independently | |
438 | // closable, but should only close one at a time. Not an FPGA thing, but | |
439 | // the samples from the ADC always flow through the FPGA. | |
440 | //----------------------------------------------------------------------------- | |
441 | void SetAdcMuxFor(uint32_t whichGpio) | |
442 | { | |
443 | AT91C_BASE_PIOA->PIO_OER = | |
444 | GPIO_MUXSEL_HIPKD | | |
445 | GPIO_MUXSEL_LOPKD | | |
446 | GPIO_MUXSEL_LORAW | | |
447 | GPIO_MUXSEL_HIRAW; | |
448 | ||
449 | AT91C_BASE_PIOA->PIO_PER = | |
450 | GPIO_MUXSEL_HIPKD | | |
451 | GPIO_MUXSEL_LOPKD | | |
452 | GPIO_MUXSEL_LORAW | | |
453 | GPIO_MUXSEL_HIRAW; | |
454 | ||
455 | LOW(GPIO_MUXSEL_HIPKD); | |
456 | LOW(GPIO_MUXSEL_HIRAW); | |
457 | LOW(GPIO_MUXSEL_LORAW); | |
458 | LOW(GPIO_MUXSEL_LOPKD); | |
459 | ||
460 | HIGH(whichGpio); | |
461 | } |