]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/lfops.c
36efe72900494ac8ace5616c04a694a5bb830bb4
[proxmark3-svn] / armsrc / lfops.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Miscellaneous routines for low frequency tag operations.
7 // Tags supported here so far are Texas Instruments (TI), HID, EM4x05, EM410x
8 // Also routines for raw mode reading/simulating of LF waveform
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "hitag2.h"
15 #include "crc16.h"
16 #include "string.h"
17 #include "lfdemod.h"
18 #include "lfsampling.h"
19 #include "protocols.h"
20 #include "usb_cdc.h" // for usb_poll_validate_length
21 #include "fpgaloader.h"
22
23 /**
24 * Function to do a modulation and then get samples.
25 * @param delay_off
26 * @param period_0
27 * @param period_1
28 * @param command
29 */
30 void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command)
31 {
32 // start timer
33 StartTicks();
34
35 // use lf config settings
36 sample_config *sc = getSamplingConfig();
37
38 // Make sure the tag is reset
39 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
40 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
41 WaitMS(2500);
42
43 // clear read buffer (after fpga bitstream loaded...)
44 BigBuf_Clear_keep_EM();
45
46 // power on
47 LFSetupFPGAForADC(sc->divisor, 1);
48
49 // And a little more time for the tag to fully power up
50 WaitMS(2000);
51 // if delay_off = 0 then just bitbang 1 = antenna on 0 = off for respective periods.
52 bool bitbang = delay_off == 0;
53 // now modulate the reader field
54
55 if (bitbang) {
56 // HACK it appears the loop and if statements take up about 7us so adjust waits accordingly...
57 uint8_t hack_cnt = 7;
58 if (period_0 < hack_cnt || period_1 < hack_cnt) {
59 DbpString("Warning periods cannot be less than 7us in bit bang mode");
60 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
61 LED_D_OFF();
62 return;
63 }
64
65 // hack2 needed--- it appears to take about 8-16us to turn the antenna back on
66 // leading to ~ 1 to 2 125khz samples extra in every off period
67 // so we should test for last 0 before next 1 and reduce period_0 by this extra amount...
68 // but is this time different for every antenna or other hw builds??? more testing needed
69
70 // prime cmd_len to save time comparing strings while modulating
71 int cmd_len = 0;
72 while(command[cmd_len] != '\0' && command[cmd_len] != ' ')
73 cmd_len++;
74
75 int counter = 0;
76 bool off = false;
77 for (counter = 0; counter < cmd_len; counter++) {
78 // if cmd = 0 then turn field off
79 if (command[counter] == '0') {
80 // if field already off leave alone (affects timing otherwise)
81 if (off == false) {
82 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
83 LED_D_OFF();
84 off = true;
85 }
86 // note we appear to take about 7us to switch over (or run the if statements/loop...)
87 WaitUS(period_0-hack_cnt);
88 // else if cmd = 1 then turn field on
89 } else {
90 // if field already on leave alone (affects timing otherwise)
91 if (off) {
92 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
93 LED_D_ON();
94 off = false;
95 }
96 // note we appear to take about 7us to switch over (or run the if statements/loop...)
97 WaitUS(period_1-hack_cnt);
98 }
99 }
100 } else { // old mode of cmd read using delay as off period
101 while(*command != '\0' && *command != ' ') {
102 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
103 LED_D_OFF();
104 WaitUS(delay_off);
105 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
106 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
107 LED_D_ON();
108 if(*(command++) == '0') {
109 WaitUS(period_0);
110 } else {
111 WaitUS(period_1);
112 }
113 }
114 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
115 LED_D_OFF();
116 WaitUS(delay_off);
117 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
118 }
119
120 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
121
122 // now do the read
123 DoAcquisition_config(false, 0);
124
125 // Turn off antenna
126 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
127 // tell client we are done
128 cmd_send(CMD_ACK,0,0,0,0,0);
129 }
130
131 /* blank r/w tag data stream
132 ...0000000000000000 01111111
133 1010101010101010101010101010101010101010101010101010101010101010
134 0011010010100001
135 01111111
136 101010101010101[0]000...
137
138 [5555fe852c5555555555555555fe0000]
139 */
140 void ReadTItag(void)
141 {
142 // some hardcoded initial params
143 // when we read a TI tag we sample the zerocross line at 2Mhz
144 // TI tags modulate a 1 as 16 cycles of 123.2Khz
145 // TI tags modulate a 0 as 16 cycles of 134.2Khz
146 #define FSAMPLE 2000000
147 #define FREQLO 123200
148 #define FREQHI 134200
149
150 signed char *dest = (signed char *)BigBuf_get_addr();
151 uint16_t n = BigBuf_max_traceLen();
152 // 128 bit shift register [shift3:shift2:shift1:shift0]
153 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
154
155 int i, cycles=0, samples=0;
156 // how many sample points fit in 16 cycles of each frequency
157 uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;
158 // when to tell if we're close enough to one freq or another
159 uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
160
161 // TI tags charge at 134.2Khz
162 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
163 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
164
165 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
166 // connects to SSP_DIN and the SSP_DOUT logic level controls
167 // whether we're modulating the antenna (high)
168 // or listening to the antenna (low)
169 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
170
171 // get TI tag data into the buffer
172 AcquireTiType();
173
174 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
175
176 for (i=0; i<n-1; i++) {
177 // count cycles by looking for lo to hi zero crossings
178 if ( (dest[i]<0) && (dest[i+1]>0) ) {
179 cycles++;
180 // after 16 cycles, measure the frequency
181 if (cycles>15) {
182 cycles=0;
183 samples=i-samples; // number of samples in these 16 cycles
184
185 // TI bits are coming to us lsb first so shift them
186 // right through our 128 bit right shift register
187 shift0 = (shift0>>1) | (shift1 << 31);
188 shift1 = (shift1>>1) | (shift2 << 31);
189 shift2 = (shift2>>1) | (shift3 << 31);
190 shift3 >>= 1;
191
192 // check if the cycles fall close to the number
193 // expected for either the low or high frequency
194 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {
195 // low frequency represents a 1
196 shift3 |= (1<<31);
197 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {
198 // high frequency represents a 0
199 } else {
200 // probably detected a gay waveform or noise
201 // use this as gaydar or discard shift register and start again
202 shift3 = shift2 = shift1 = shift0 = 0;
203 }
204 samples = i;
205
206 // for each bit we receive, test if we've detected a valid tag
207
208 // if we see 17 zeroes followed by 6 ones, we might have a tag
209 // remember the bits are backwards
210 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {
211 // if start and end bytes match, we have a tag so break out of the loop
212 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {
213 cycles = 0xF0B; //use this as a flag (ugly but whatever)
214 break;
215 }
216 }
217 }
218 }
219 }
220
221 // if flag is set we have a tag
222 if (cycles!=0xF0B) {
223 DbpString("Info: No valid tag detected.");
224 } else {
225 // put 64 bit data into shift1 and shift0
226 shift0 = (shift0>>24) | (shift1 << 8);
227 shift1 = (shift1>>24) | (shift2 << 8);
228
229 // align 16 bit crc into lower half of shift2
230 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;
231
232 // if r/w tag, check ident match
233 if (shift3 & (1<<15) ) {
234 DbpString("Info: TI tag is rewriteable");
235 // only 15 bits compare, last bit of ident is not valid
236 if (((shift3 >> 16) ^ shift0) & 0x7fff ) {
237 DbpString("Error: Ident mismatch!");
238 } else {
239 DbpString("Info: TI tag ident is valid");
240 }
241 } else {
242 DbpString("Info: TI tag is readonly");
243 }
244
245 // WARNING the order of the bytes in which we calc crc below needs checking
246 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
247 // bytes in reverse or something
248 // calculate CRC
249 uint32_t crc=0;
250
251 crc = update_crc16(crc, (shift0)&0xff);
252 crc = update_crc16(crc, (shift0>>8)&0xff);
253 crc = update_crc16(crc, (shift0>>16)&0xff);
254 crc = update_crc16(crc, (shift0>>24)&0xff);
255 crc = update_crc16(crc, (shift1)&0xff);
256 crc = update_crc16(crc, (shift1>>8)&0xff);
257 crc = update_crc16(crc, (shift1>>16)&0xff);
258 crc = update_crc16(crc, (shift1>>24)&0xff);
259
260 Dbprintf("Info: Tag data: %x%08x, crc=%x",
261 (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
262 if (crc != (shift2&0xffff)) {
263 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
264 } else {
265 DbpString("Info: CRC is good");
266 }
267 }
268 }
269
270 void WriteTIbyte(uint8_t b)
271 {
272 int i = 0;
273
274 // modulate 8 bits out to the antenna
275 for (i=0; i<8; i++)
276 {
277 if (b&(1<<i)) {
278 // stop modulating antenna
279 LOW(GPIO_SSC_DOUT);
280 SpinDelayUs(1000);
281 // modulate antenna
282 HIGH(GPIO_SSC_DOUT);
283 SpinDelayUs(1000);
284 } else {
285 // stop modulating antenna
286 LOW(GPIO_SSC_DOUT);
287 SpinDelayUs(300);
288 // modulate antenna
289 HIGH(GPIO_SSC_DOUT);
290 SpinDelayUs(1700);
291 }
292 }
293 }
294
295 void AcquireTiType(void)
296 {
297 int i, j, n;
298 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
299 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
300 #define TIBUFLEN 1250
301
302 // clear buffer
303 uint32_t *BigBuf = (uint32_t *)BigBuf_get_addr();
304 BigBuf_Clear_ext(false);
305
306 // Set up the synchronous serial port
307 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
308 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
309
310 // steal this pin from the SSP and use it to control the modulation
311 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
312 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
313
314 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
315 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
316
317 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
318 // 48/2 = 24 MHz clock must be divided by 12
319 AT91C_BASE_SSC->SSC_CMR = 12;
320
321 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
322 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
323 AT91C_BASE_SSC->SSC_TCMR = 0;
324 AT91C_BASE_SSC->SSC_TFMR = 0;
325
326 LED_D_ON();
327
328 // modulate antenna
329 HIGH(GPIO_SSC_DOUT);
330
331 // Charge TI tag for 50ms.
332 SpinDelay(50);
333
334 // stop modulating antenna and listen
335 LOW(GPIO_SSC_DOUT);
336
337 LED_D_OFF();
338
339 i = 0;
340 for(;;) {
341 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
342 BigBuf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
343 i++; if(i >= TIBUFLEN) break;
344 }
345 WDT_HIT();
346 }
347
348 // return stolen pin to SSP
349 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
350 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
351
352 char *dest = (char *)BigBuf_get_addr();
353 n = TIBUFLEN*32;
354 // unpack buffer
355 for (i=TIBUFLEN-1; i>=0; i--) {
356 for (j=0; j<32; j++) {
357 if(BigBuf[i] & (1 << j)) {
358 dest[--n] = 1;
359 } else {
360 dest[--n] = -1;
361 }
362 }
363 }
364 }
365
366 // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
367 // if crc provided, it will be written with the data verbatim (even if bogus)
368 // if not provided a valid crc will be computed from the data and written.
369 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
370 {
371 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
372 if(crc == 0) {
373 crc = update_crc16(crc, (idlo)&0xff);
374 crc = update_crc16(crc, (idlo>>8)&0xff);
375 crc = update_crc16(crc, (idlo>>16)&0xff);
376 crc = update_crc16(crc, (idlo>>24)&0xff);
377 crc = update_crc16(crc, (idhi)&0xff);
378 crc = update_crc16(crc, (idhi>>8)&0xff);
379 crc = update_crc16(crc, (idhi>>16)&0xff);
380 crc = update_crc16(crc, (idhi>>24)&0xff);
381 }
382 Dbprintf("Writing to tag: %x%08x, crc=%x",
383 (unsigned int) idhi, (unsigned int) idlo, crc);
384
385 // TI tags charge at 134.2Khz
386 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
387 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
388 // connects to SSP_DIN and the SSP_DOUT logic level controls
389 // whether we're modulating the antenna (high)
390 // or listening to the antenna (low)
391 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
392 LED_A_ON();
393
394 // steal this pin from the SSP and use it to control the modulation
395 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
396 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
397
398 // writing algorithm:
399 // a high bit consists of a field off for 1ms and field on for 1ms
400 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
401 // initiate a charge time of 50ms (field on) then immediately start writing bits
402 // start by writing 0xBB (keyword) and 0xEB (password)
403 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
404 // finally end with 0x0300 (write frame)
405 // all data is sent lsb firts
406 // finish with 15ms programming time
407
408 // modulate antenna
409 HIGH(GPIO_SSC_DOUT);
410 SpinDelay(50); // charge time
411
412 WriteTIbyte(0xbb); // keyword
413 WriteTIbyte(0xeb); // password
414 WriteTIbyte( (idlo )&0xff );
415 WriteTIbyte( (idlo>>8 )&0xff );
416 WriteTIbyte( (idlo>>16)&0xff );
417 WriteTIbyte( (idlo>>24)&0xff );
418 WriteTIbyte( (idhi )&0xff );
419 WriteTIbyte( (idhi>>8 )&0xff );
420 WriteTIbyte( (idhi>>16)&0xff );
421 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
422 WriteTIbyte( (crc )&0xff ); // crc lo
423 WriteTIbyte( (crc>>8 )&0xff ); // crc hi
424 WriteTIbyte(0x00); // write frame lo
425 WriteTIbyte(0x03); // write frame hi
426 HIGH(GPIO_SSC_DOUT);
427 SpinDelay(50); // programming time
428
429 LED_A_OFF();
430
431 // get TI tag data into the buffer
432 AcquireTiType();
433
434 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
435 DbpString("Now use `lf ti read` to check");
436 }
437
438 void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
439 {
440 int i;
441 uint8_t *tab = BigBuf_get_addr();
442
443 //note FpgaDownloadAndGo destroys the bigbuf so be sure this is called before now...
444 //FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
445 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
446
447 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
448
449 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
450 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
451
452 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
453 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
454
455 i = 0;
456 for(;;) {
457 //wait until SSC_CLK goes HIGH
458 int ii = 0;
459 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
460 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
461 if ( ii == 1000 ) {
462 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
463 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
464 DbpString("Stopped");
465 return;
466 }
467 ii=0;
468 }
469 WDT_HIT();
470 ii++;
471 }
472 if (ledcontrol)
473 LED_D_ON();
474
475 if(tab[i])
476 OPEN_COIL();
477 else
478 SHORT_COIL();
479
480 if (ledcontrol)
481 LED_D_OFF();
482 ii=0;
483 //wait until SSC_CLK goes LOW
484 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
485 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
486 if ( ii == 1000 ) {
487 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
488 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
489 DbpString("Stopped");
490 return;
491 }
492 ii=0;
493 }
494 WDT_HIT();
495 ii++;
496 }
497
498 i++;
499 if(i == period) {
500
501 i = 0;
502 if (gap) {
503 SHORT_COIL();
504 SpinDelayUs(gap);
505 }
506 }
507
508 }
509 }
510
511 #define DEBUG_FRAME_CONTENTS 1
512 void SimulateTagLowFrequencyBidir(int divisor, int t0)
513 {
514 }
515
516 // compose fc/8 fc/10 waveform (FSK2)
517 static void fc(int c, int *n)
518 {
519 uint8_t *dest = BigBuf_get_addr();
520 int idx;
521
522 // for when we want an fc8 pattern every 4 logical bits
523 if(c==0) {
524 dest[((*n)++)]=1;
525 dest[((*n)++)]=1;
526 dest[((*n)++)]=1;
527 dest[((*n)++)]=1;
528 dest[((*n)++)]=0;
529 dest[((*n)++)]=0;
530 dest[((*n)++)]=0;
531 dest[((*n)++)]=0;
532 }
533
534 // an fc/8 encoded bit is a bit pattern of 11110000 x6 = 48 samples
535 if(c==8) {
536 for (idx=0; idx<6; idx++) {
537 dest[((*n)++)]=1;
538 dest[((*n)++)]=1;
539 dest[((*n)++)]=1;
540 dest[((*n)++)]=1;
541 dest[((*n)++)]=0;
542 dest[((*n)++)]=0;
543 dest[((*n)++)]=0;
544 dest[((*n)++)]=0;
545 }
546 }
547
548 // an fc/10 encoded bit is a bit pattern of 1111100000 x5 = 50 samples
549 if(c==10) {
550 for (idx=0; idx<5; idx++) {
551 dest[((*n)++)]=1;
552 dest[((*n)++)]=1;
553 dest[((*n)++)]=1;
554 dest[((*n)++)]=1;
555 dest[((*n)++)]=1;
556 dest[((*n)++)]=0;
557 dest[((*n)++)]=0;
558 dest[((*n)++)]=0;
559 dest[((*n)++)]=0;
560 dest[((*n)++)]=0;
561 }
562 }
563 }
564 // compose fc/X fc/Y waveform (FSKx)
565 static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt)
566 {
567 uint8_t *dest = BigBuf_get_addr();
568 uint8_t halfFC = fc/2;
569 uint8_t wavesPerClock = clock/fc;
570 uint8_t mod = clock % fc; //modifier
571 uint8_t modAdj = fc/mod; //how often to apply modifier
572 bool modAdjOk = !(fc % mod); //if (fc % mod==0) modAdjOk=true;
573 // loop through clock - step field clock
574 for (uint8_t idx=0; idx < wavesPerClock; idx++){
575 // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave)
576 memset(dest+(*n), 0, fc-halfFC); //in case of odd number use extra here
577 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
578 *n += fc;
579 }
580 if (mod>0) (*modCnt)++;
581 if ((mod>0) && modAdjOk){ //fsk2
582 if ((*modCnt % modAdj) == 0){ //if 4th 8 length wave in a rf/50 add extra 8 length wave
583 memset(dest+(*n), 0, fc-halfFC);
584 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
585 *n += fc;
586 }
587 }
588 if (mod>0 && !modAdjOk){ //fsk1
589 memset(dest+(*n), 0, mod-(mod/2));
590 memset(dest+(*n)+(mod-(mod/2)), 1, mod/2);
591 *n += mod;
592 }
593 }
594
595 // prepare a waveform pattern in the buffer based on the ID given then
596 // simulate a HID tag until the button is pressed
597 void CmdHIDsimTAG(int hi2, int hi, int lo, int ledcontrol)
598 {
599 int n=0, i=0;
600 /*
601 HID tag bitstream format
602 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
603 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
604 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
605 A fc8 is inserted before every 4 bits
606 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
607 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
608 */
609
610 if (hi2>0x0FFFFFFF) {
611 DbpString("Tags can only have 44 or 84 bits. - USE lf simfsk for larger tags");
612 return;
613 }
614 // set LF so we don't kill the bigbuf we are setting with simulation data.
615 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
616
617 fc(0,&n);
618 // special start of frame marker containing invalid bit sequences
619 fc(8, &n); fc(8, &n); // invalid
620 fc(8, &n); fc(10, &n); // logical 0
621 fc(10, &n); fc(10, &n); // invalid
622 fc(8, &n); fc(10, &n); // logical 0
623
624 WDT_HIT();
625 if (hi2 > 0 || hi > 0xFFF){
626 // manchester encode bits 91 to 64 (91-84 are part of the header)
627 for (i=27; i>=0; i--) {
628 if ((i%4)==3) fc(0,&n);
629 if ((hi2>>i)&1) {
630 fc(10, &n); fc(8, &n); // low-high transition
631 } else {
632 fc(8, &n); fc(10, &n); // high-low transition
633 }
634 }
635 WDT_HIT();
636 // manchester encode bits 63 to 32
637 for (i=31; i>=0; i--) {
638 if ((i%4)==3) fc(0,&n);
639 if ((hi>>i)&1) {
640 fc(10, &n); fc(8, &n); // low-high transition
641 } else {
642 fc(8, &n); fc(10, &n); // high-low transition
643 }
644 }
645 } else {
646 // manchester encode bits 43 to 32
647 for (i=11; i>=0; i--) {
648 if ((i%4)==3) fc(0,&n);
649 if ((hi>>i)&1) {
650 fc(10, &n); fc(8, &n); // low-high transition
651 } else {
652 fc(8, &n); fc(10, &n); // high-low transition
653 }
654 }
655 }
656
657 WDT_HIT();
658 // manchester encode bits 31 to 0
659 for (i=31; i>=0; i--) {
660 if ((i%4)==3) fc(0,&n);
661 if ((lo>>i)&1) {
662 fc(10, &n); fc(8, &n); // low-high transition
663 } else {
664 fc(8, &n); fc(10, &n); // high-low transition
665 }
666 }
667
668 if (ledcontrol)
669 LED_A_ON();
670 SimulateTagLowFrequency(n, 0, ledcontrol);
671
672 if (ledcontrol)
673 LED_A_OFF();
674 }
675
676 // prepare a waveform pattern in the buffer based on the ID given then
677 // simulate a FSK tag until the button is pressed
678 // arg1 contains fcHigh and fcLow, arg2 contains invert and clock
679 void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
680 {
681 int ledcontrol=1;
682 int n=0, i=0;
683 uint8_t fcHigh = arg1 >> 8;
684 uint8_t fcLow = arg1 & 0xFF;
685 uint16_t modCnt = 0;
686 uint8_t clk = arg2 & 0xFF;
687 uint8_t invert = (arg2 >> 8) & 1;
688
689 // set LF so we don't kill the bigbuf we are setting with simulation data.
690 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
691
692 for (i=0; i<size; i++){
693 if (BitStream[i] == invert){
694 fcAll(fcLow, &n, clk, &modCnt);
695 } else {
696 fcAll(fcHigh, &n, clk, &modCnt);
697 }
698 }
699 Dbprintf("Simulating with fcHigh: %d, fcLow: %d, clk: %d, invert: %d, n: %d",fcHigh, fcLow, clk, invert, n);
700 /*Dbprintf("DEBUG: First 32:");
701 uint8_t *dest = BigBuf_get_addr();
702 i=0;
703 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
704 i+=16;
705 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
706 */
707 if (ledcontrol)
708 LED_A_ON();
709
710 SimulateTagLowFrequency(n, 0, ledcontrol);
711
712 if (ledcontrol)
713 LED_A_OFF();
714 }
715
716 // compose ask waveform for one bit(ASK)
717 static void askSimBit(uint8_t c, int *n, uint8_t clock, uint8_t manchester)
718 {
719 uint8_t *dest = BigBuf_get_addr();
720 uint8_t halfClk = clock/2;
721 // c = current bit 1 or 0
722 if (manchester==1){
723 memset(dest+(*n), c, halfClk);
724 memset(dest+(*n) + halfClk, c^1, halfClk);
725 } else {
726 memset(dest+(*n), c, clock);
727 }
728 *n += clock;
729 }
730
731 static void biphaseSimBit(uint8_t c, int *n, uint8_t clock, uint8_t *phase)
732 {
733 uint8_t *dest = BigBuf_get_addr();
734 uint8_t halfClk = clock/2;
735 if (c){
736 memset(dest+(*n), c ^ 1 ^ *phase, halfClk);
737 memset(dest+(*n) + halfClk, c ^ *phase, halfClk);
738 } else {
739 memset(dest+(*n), c ^ *phase, clock);
740 *phase ^= 1;
741 }
742 *n += clock;
743 }
744
745 static void stAskSimBit(int *n, uint8_t clock) {
746 uint8_t *dest = BigBuf_get_addr();
747 uint8_t halfClk = clock/2;
748 //ST = .5 high .5 low 1.5 high .5 low 1 high
749 memset(dest+(*n), 1, halfClk);
750 memset(dest+(*n) + halfClk, 0, halfClk);
751 memset(dest+(*n) + clock, 1, clock + halfClk);
752 memset(dest+(*n) + clock*2 + halfClk, 0, halfClk);
753 memset(dest+(*n) + clock*3, 1, clock);
754 *n += clock*4;
755 }
756
757 // args clock, ask/man or askraw, invert, transmission separator
758 void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
759 {
760 int ledcontrol = 1;
761 int n=0, i=0;
762 uint8_t clk = (arg1 >> 8) & 0xFF;
763 uint8_t encoding = arg1 & 0xFF;
764 uint8_t separator = arg2 & 1;
765 uint8_t invert = (arg2 >> 8) & 1;
766
767 // set LF so we don't kill the bigbuf we are setting with simulation data.
768 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
769
770 if (encoding==2){ //biphase
771 uint8_t phase=0;
772 for (i=0; i<size; i++){
773 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
774 }
775 if (phase==1) { //run a second set inverted to keep phase in check
776 for (i=0; i<size; i++){
777 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
778 }
779 }
780 } else { // ask/manchester || ask/raw
781 for (i=0; i<size; i++){
782 askSimBit(BitStream[i]^invert, &n, clk, encoding);
783 }
784 if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
785 for (i=0; i<size; i++){
786 askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
787 }
788 }
789 }
790 if (separator==1 && encoding == 1)
791 stAskSimBit(&n, clk);
792 else if (separator==1)
793 Dbprintf("sorry but separator option not yet available");
794
795 Dbprintf("Simulating with clk: %d, invert: %d, encoding: %d, separator: %d, n: %d",clk, invert, encoding, separator, n);
796 //DEBUG
797 //Dbprintf("First 32:");
798 //uint8_t *dest = BigBuf_get_addr();
799 //i=0;
800 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
801 //i+=16;
802 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
803
804 if (ledcontrol) LED_A_ON();
805 SimulateTagLowFrequency(n, 0, ledcontrol);
806 if (ledcontrol) LED_A_OFF();
807 }
808
809 //carrier can be 2,4 or 8
810 static void pskSimBit(uint8_t waveLen, int *n, uint8_t clk, uint8_t *curPhase, bool phaseChg)
811 {
812 uint8_t *dest = BigBuf_get_addr();
813 uint8_t halfWave = waveLen/2;
814 //uint8_t idx;
815 int i = 0;
816 if (phaseChg){
817 // write phase change
818 memset(dest+(*n), *curPhase^1, halfWave);
819 memset(dest+(*n) + halfWave, *curPhase, halfWave);
820 *n += waveLen;
821 *curPhase ^= 1;
822 i += waveLen;
823 }
824 //write each normal clock wave for the clock duration
825 for (; i < clk; i+=waveLen){
826 memset(dest+(*n), *curPhase, halfWave);
827 memset(dest+(*n) + halfWave, *curPhase^1, halfWave);
828 *n += waveLen;
829 }
830 }
831
832 // args clock, carrier, invert,
833 void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
834 {
835 int ledcontrol=1;
836 int n=0, i=0;
837 uint8_t clk = arg1 >> 8;
838 uint8_t carrier = arg1 & 0xFF;
839 uint8_t invert = arg2 & 0xFF;
840 uint8_t curPhase = 0;
841 // set LF so we don't kill the bigbuf we are setting with simulation data.
842 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
843
844 for (i=0; i<size; i++){
845 if (BitStream[i] == curPhase){
846 pskSimBit(carrier, &n, clk, &curPhase, false);
847 } else {
848 pskSimBit(carrier, &n, clk, &curPhase, true);
849 }
850 }
851 Dbprintf("Simulating with Carrier: %d, clk: %d, invert: %d, n: %d",carrier, clk, invert, n);
852 //Dbprintf("DEBUG: First 32:");
853 //uint8_t *dest = BigBuf_get_addr();
854 //i=0;
855 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
856 //i+=16;
857 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
858
859 if (ledcontrol) LED_A_ON();
860 SimulateTagLowFrequency(n, 0, ledcontrol);
861 if (ledcontrol) LED_A_OFF();
862 }
863
864 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
865 void CmdHIDdemodFSK(int findone, int *high2, int *high, int *low, int ledcontrol)
866 {
867 uint8_t *dest = BigBuf_get_addr();
868 //const size_t sizeOfBigBuff = BigBuf_max_traceLen();
869 size_t size;
870 uint32_t hi2=0, hi=0, lo=0;
871 int idx=0;
872 int dummyIdx = 0;
873 // Configure to go in 125Khz listen mode
874 LFSetupFPGAForADC(95, true);
875
876 //clear read buffer
877 BigBuf_Clear_keep_EM();
878
879 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
880 WDT_HIT();
881 if (ledcontrol) LED_A_ON();
882
883 DoAcquisition_default(-1,true);
884 // FSK demodulator
885 //size = sizeOfBigBuff; //variable size will change after demod so re initialize it before use
886 size = 50*128*2; //big enough to catch 2 sequences of largest format
887 idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo, &dummyIdx);
888
889 if (idx>0 && lo>0 && (size==96 || size==192)){
890 uint8_t bitlen = 0;
891 uint32_t fc = 0;
892 uint32_t cardnum = 0;
893 bool decoded = false;
894
895 // go over previously decoded manchester data and decode into usable tag ID
896 if ((hi2 & 0x000FFFF) != 0){ //extra large HID tags 88/192 bits
897 uint32_t bp = hi2 & 0x000FFFFF;
898 bitlen = 63;
899 while (bp > 0) {
900 bp = bp >> 1;
901 bitlen++;
902 }
903 } else if ((hi >> 6) > 0) {
904 uint32_t bp = hi;
905 bitlen = 31;
906 while (bp > 0) {
907 bp = bp >> 1;
908 bitlen++;
909 }
910 } else if (((hi >> 5) & 1) == 0) {
911 bitlen = 37;
912 } else if ((hi & 0x0000001F) > 0 ) {
913 uint32_t bp = (hi & 0x0000001F);
914 bitlen = 31;
915 while (bp > 0) {
916 bp = bp >> 1;
917 bitlen++;
918 }
919 } else {
920 uint32_t bp = lo;
921 bitlen = 0;
922 while (bp > 0) {
923 bp = bp >> 1;
924 bitlen++;
925 }
926 }
927 switch (bitlen){
928 case 26:
929 cardnum = (lo>>1)&0xFFFF;
930 fc = (lo>>17)&0xFF;
931 decoded = true;
932 break;
933 case 35:
934 cardnum = (lo>>1)&0xFFFFF;
935 fc = ((hi&1)<<11)|(lo>>21);
936 decoded = true;
937 break;
938 }
939
940 if (hi2 != 0) //extra large HID tags 88/192 bits
941 Dbprintf("TAG ID: %x%08x%08x (%d)",
942 (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
943 else
944 Dbprintf("TAG ID: %x%08x (%d)",
945 (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
946
947 if (decoded)
948 Dbprintf("Format Len: %dbits - FC: %d - Card: %d",
949 (unsigned int) bitlen, (unsigned int) fc, (unsigned int) cardnum);
950
951 if (findone){
952 if (ledcontrol) LED_A_OFF();
953 *high2 = hi2;
954 *high = hi;
955 *low = lo;
956 break;
957 }
958 // reset
959 }
960 hi2 = hi = lo = idx = 0;
961 WDT_HIT();
962 }
963
964 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
965 DbpString("Stopped");
966 if (ledcontrol) LED_A_OFF();
967 }
968
969 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
970 void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
971 {
972 uint8_t *dest = BigBuf_get_addr();
973 size_t size;
974 int idx=0, dummyIdx=0;
975 //clear read buffer
976 BigBuf_Clear_keep_EM();
977 // Configure to go in 125Khz listen mode
978 LFSetupFPGAForADC(95, true);
979
980 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
981
982 WDT_HIT();
983 if (ledcontrol) LED_A_ON();
984
985 DoAcquisition_default(-1,true);
986 // FSK demodulator
987 size = 50*128*2; //big enough to catch 2 sequences of largest format
988 idx = AWIDdemodFSK(dest, &size, &dummyIdx);
989
990 if (idx<=0 || size!=96) continue;
991 // Index map
992 // 0 10 20 30 40 50 60
993 // | | | | | | |
994 // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96
995 // -----------------------------------------------------------------------------
996 // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1
997 // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96
998 // |---26 bit---| |-----117----||-------------142-------------|
999 // b = format bit len, o = odd parity of last 3 bits
1000 // f = facility code, c = card number
1001 // w = wiegand parity
1002 // (26 bit format shown)
1003
1004 //get raw ID before removing parities
1005 uint32_t rawLo = bytebits_to_byte(dest+idx+64,32);
1006 uint32_t rawHi = bytebits_to_byte(dest+idx+32,32);
1007 uint32_t rawHi2 = bytebits_to_byte(dest+idx,32);
1008
1009 size = removeParity(dest, idx+8, 4, 1, 88);
1010 if (size != 66) continue;
1011 // ok valid card found!
1012
1013 // Index map
1014 // 0 10 20 30 40 50 60
1015 // | | | | | | |
1016 // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456
1017 // -----------------------------------------------------------------------------
1018 // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000
1019 // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1020 // |26 bit| |-117--| |-----142------|
1021 // b = format bit len, o = odd parity of last 3 bits
1022 // f = facility code, c = card number
1023 // w = wiegand parity
1024 // (26 bit format shown)
1025
1026 uint32_t fc = 0;
1027 uint32_t cardnum = 0;
1028 uint32_t code1 = 0;
1029 uint32_t code2 = 0;
1030 uint8_t fmtLen = bytebits_to_byte(dest,8);
1031 if (fmtLen==26){
1032 fc = bytebits_to_byte(dest+9, 8);
1033 cardnum = bytebits_to_byte(dest+17, 16);
1034 code1 = bytebits_to_byte(dest+8,fmtLen);
1035 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %d - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, rawHi2, rawHi, rawLo);
1036 } else {
1037 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
1038 if (fmtLen>32){
1039 code1 = bytebits_to_byte(dest+8,fmtLen-32);
1040 code2 = bytebits_to_byte(dest+8+(fmtLen-32),32);
1041 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo);
1042 } else{
1043 code1 = bytebits_to_byte(dest+8,fmtLen);
1044 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo);
1045 }
1046 }
1047 if (findone){
1048 if (ledcontrol) LED_A_OFF();
1049 break;
1050 }
1051 // reset
1052 idx = 0;
1053 WDT_HIT();
1054 }
1055 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1056 DbpString("Stopped");
1057 if (ledcontrol) LED_A_OFF();
1058 }
1059
1060 void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
1061 {
1062 uint8_t *dest = BigBuf_get_addr();
1063
1064 size_t size=0, idx=0;
1065 int clk=0, invert=0, errCnt=0, maxErr=20;
1066 uint32_t hi=0;
1067 uint64_t lo=0;
1068 //clear read buffer
1069 BigBuf_Clear_keep_EM();
1070 // Configure to go in 125Khz listen mode
1071 LFSetupFPGAForADC(95, true);
1072
1073 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1074
1075 WDT_HIT();
1076 if (ledcontrol) LED_A_ON();
1077
1078 DoAcquisition_default(-1,true);
1079 size = BigBuf_max_traceLen();
1080 //askdemod and manchester decode
1081 if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format
1082 errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
1083 WDT_HIT();
1084
1085 if (errCnt<0) continue;
1086
1087 errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo);
1088 if (errCnt){
1089 if (size>64){
1090 Dbprintf("EM XL TAG ID: %06x%08x%08x - (%05d_%03d_%08d)",
1091 hi,
1092 (uint32_t)(lo>>32),
1093 (uint32_t)lo,
1094 (uint32_t)(lo&0xFFFF),
1095 (uint32_t)((lo>>16LL) & 0xFF),
1096 (uint32_t)(lo & 0xFFFFFF));
1097 } else {
1098 Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)",
1099 (uint32_t)(lo>>32),
1100 (uint32_t)lo,
1101 (uint32_t)(lo&0xFFFF),
1102 (uint32_t)((lo>>16LL) & 0xFF),
1103 (uint32_t)(lo & 0xFFFFFF));
1104 }
1105
1106 if (findone){
1107 if (ledcontrol) LED_A_OFF();
1108 *high=lo>>32;
1109 *low=lo & 0xFFFFFFFF;
1110 break;
1111 }
1112 }
1113 WDT_HIT();
1114 hi = lo = size = idx = 0;
1115 clk = invert = errCnt = 0;
1116 }
1117 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1118 DbpString("Stopped");
1119 if (ledcontrol) LED_A_OFF();
1120 }
1121
1122 void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
1123 {
1124 uint8_t *dest = BigBuf_get_addr();
1125 int idx=0;
1126 uint32_t code=0, code2=0;
1127 uint8_t version=0;
1128 uint8_t facilitycode=0;
1129 uint16_t number=0;
1130 int dummyIdx=0;
1131 //clear read buffer
1132 BigBuf_Clear_keep_EM();
1133 // Configure to go in 125Khz listen mode
1134 LFSetupFPGAForADC(95, true);
1135
1136 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1137 WDT_HIT();
1138 if (ledcontrol) LED_A_ON();
1139 DoAcquisition_default(-1,true);
1140 //fskdemod and get start index
1141 WDT_HIT();
1142 idx = IOdemodFSK(dest, BigBuf_max_traceLen(), &dummyIdx);
1143 if (idx<0) continue;
1144 //valid tag found
1145
1146 //Index map
1147 //0 10 20 30 40 50 60
1148 //| | | | | | |
1149 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
1150 //-----------------------------------------------------------------------------
1151 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 ???????? 11
1152 //
1153 //XSF(version)facility:codeone+codetwo
1154 //Handle the data
1155 if(findone){ //only print binary if we are doing one
1156 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
1157 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
1158 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
1159 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
1160 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
1161 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
1162 Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
1163 }
1164 code = bytebits_to_byte(dest+idx,32);
1165 code2 = bytebits_to_byte(dest+idx+32,32);
1166 version = bytebits_to_byte(dest+idx+27,8); //14,4
1167 facilitycode = bytebits_to_byte(dest+idx+18,8);
1168 number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9
1169
1170 Dbprintf("XSF(%02d)%02x:%05d (%08x%08x)",version,facilitycode,number,code,code2);
1171 // if we're only looking for one tag
1172 if (findone){
1173 if (ledcontrol) LED_A_OFF();
1174 //LED_A_OFF();
1175 *high=code;
1176 *low=code2;
1177 break;
1178 }
1179 code=code2=0;
1180 version=facilitycode=0;
1181 number=0;
1182 idx=0;
1183
1184 WDT_HIT();
1185 }
1186 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1187 DbpString("Stopped");
1188 if (ledcontrol) LED_A_OFF();
1189 }
1190
1191 /*------------------------------
1192 * T5555/T5557/T5567/T5577 routines
1193 *------------------------------
1194 * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
1195 *
1196 * Relevant communication times in microsecond
1197 * To compensate antenna falling times shorten the write times
1198 * and enlarge the gap ones.
1199 * Q5 tags seems to have issues when these values changes.
1200 */
1201 #define START_GAP 31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
1202 #define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
1203 #define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
1204 #define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550
1205 #define READ_GAP 15*8
1206 // Long Leading Reference
1207 #define Reference_llr (136+18)*8 // Needs to be WRITR_0 + 136 clocks.
1208
1209 void TurnReadLFOn(int delay) {
1210 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1211 // Give it a bit of time for the resonant antenna to settle.
1212 WaitUS(delay); //155*8 //50*8
1213 }
1214
1215 // Write one bit to card
1216 void T55xxWriteBit(int bit) {
1217 if (!bit)
1218 TurnReadLFOn(WRITE_0);
1219 else
1220 TurnReadLFOn(WRITE_1);
1221 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1222 WaitUS(WRITE_GAP);
1223 }
1224
1225 void T55xxWrite_LLR (void)
1226 {
1227 TurnReadLFOn (Reference_llr);
1228 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1229 WaitUS(WRITE_GAP);
1230 }
1231
1232 #define START_GAPlz 31*8
1233 #define WRITE_GAPlz 20*8
1234 #define WRITElz_0 18*8
1235 #define WRITElz_1 40*8
1236 #define READ_GAP 15*8
1237
1238 void T55xxWriteBit_Leading0(int bit) {
1239 if (!bit)
1240 TurnReadLFOn(WRITElz_0);
1241 else
1242 TurnReadLFOn(WRITElz_1);
1243 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1244 WaitUS(WRITE_GAPlz);
1245 // WaitUS(160);
1246 }
1247
1248 #define START_GAP1of4 31*8 // SPEC: 1*8 to 50*8 - typ 10*8 (or 15fc)
1249 #define WRITE_GAP1of4 20*8 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
1250 // 00 = reference // 8 * 8 - - 68 * 8
1251 #define WRITE1of4_00 18*8 // SPEC: 8*8 to 68*8 - typ 24*8 (or 24fc)
1252 #define WRITE1of4_01 34*8 // SPEC: dref+9 - dref+16 - dref+24
1253 #define WRITE1of4_10 50*8 // SPEC: dref+25 - dref+32 - dref+40
1254 #define WRITE1of4_11 66*8 // SPEC: dref+41 - dref+48 - dref+56
1255 #define READ1of4_GAP 15*8
1256
1257 void T55xxWriteBit_1of4(int bits) {
1258
1259 switch (bits)
1260 {
1261 case 0 : TurnReadLFOn(WRITE1of4_00); break;
1262 case 1 : TurnReadLFOn(WRITE1of4_01); break;
1263 case 2 : TurnReadLFOn(WRITE1of4_10); break;
1264 case 3 : TurnReadLFOn(WRITE1of4_11); break;
1265 default:
1266 TurnReadLFOn(WRITE1of4_00);
1267 }
1268
1269 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1270 WaitUS(WRITE_GAP1of4);
1271 // WaitUS(160);
1272 }
1273
1274 void T55xxWriteBlockExt_Leading0 (uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1275
1276 LED_A_ON();
1277 bool PwdMode = arg & 0x1;
1278 uint8_t Page = (arg & 0x2)>>1;
1279 bool testMode = arg & 0x4;
1280 uint32_t i = 0;
1281
1282 // Set up FPGA, 125kHz
1283 LFSetupFPGAForADC(95, true);
1284 StartTicks();
1285 // make sure tag is fully powered up...
1286 WaitMS(5);
1287 // Trigger T55x7 in mode.
1288 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1289
1290 WaitUS(START_GAPlz);
1291
1292
1293 /*
1294 0 : Leading Zero
1295 11 : Opcode
1296 00 : Fixed 00 if protected write (i.e. have password)
1297 <32 bit Password>
1298 0 : Lock Bit
1299 <32 bit data>
1300 <3 bit addr>
1301
1302 Standard Write : 0 1p L <32 data bits> <3 bit addr>
1303 0 10 0 00000000000000000000000000000000 001
1304 Protected Write: 0 1p 00 <32 pwd bits> L <32 data bits> <3 bit addr>
1305 0 10 00 00000000000000000000000000000000 0 00000000000000000000000000000000 001
1306 Wake Up 0 10 00 <32 pwd bits>
1307 Protected Read 0 1p 00 <32 pwd bits> 0 <3 bit addr>
1308 Standard Read 0 1p 0 <3 bit addr>
1309 Page 0/1 read 0 1p
1310 Reset 0 00
1311
1312 */
1313 T55xxWriteBit_Leading0 (0); //T55xxWriteBit(0);
1314
1315
1316 if (testMode) Dbprintf("TestMODE");
1317 // Std Opcode 10
1318 T55xxWriteBit_Leading0 (testMode ? 0 : 1);
1319 T55xxWriteBit_Leading0 (testMode ? 1 : Page); //Page 0
1320
1321
1322 if (PwdMode) {
1323 // Leading zero - insert two fixed 00 between opcode and password
1324 T55xxWriteBit_Leading0 (0);
1325 T55xxWriteBit_Leading0 (0);
1326 // Send Pwd
1327 for (i = 0x80000000; i != 0; i >>= 1)
1328 T55xxWriteBit_Leading0 (Pwd & i);
1329 }
1330
1331 // Send Lock bit
1332 T55xxWriteBit_Leading0 (0);
1333
1334 // Send Data
1335 for (i = 0x80000000; i != 0; i >>= 1)
1336 T55xxWriteBit_Leading0(Data & i);
1337
1338 // Send Block number
1339 for (i = 0x04; i != 0; i >>= 1)
1340 T55xxWriteBit_Leading0 (Block & i);
1341
1342 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1343 // so wait a little more)
1344 // "there is a clock delay before programming"
1345 // - programming takes ~5.6ms for t5577 ~18ms for E5550 or t5567
1346 // so we should wait 1 clock + 5.6ms then read response?
1347 // but we need to know we are dealing with t5577 vs t5567 vs e5550 (or q5) marshmellow...
1348 if (testMode) {
1349 //TESTMODE TIMING TESTS:
1350 // <566us does nothing
1351 // 566-568 switches between wiping to 0s and doing nothing
1352 // 5184 wipes and allows 1 block to be programmed.
1353 // indefinite power on wipes and then programs all blocks with bitshifted data sent.
1354 TurnReadLFOn(5184);
1355
1356 } else {
1357 TurnReadLFOn(20 * 1000);
1358 //could attempt to do a read to confirm write took
1359 // as the tag should repeat back the new block
1360 // until it is reset, but to confirm it we would
1361 // need to know the current block 0 config mode for
1362 // modulation clock an other details to demod the response...
1363 // response should be (for t55x7) a 0 bit then (ST if on)
1364 // block data written in on repeat until reset.
1365
1366 //DoPartialAcquisition(20, true, 12000);
1367 }
1368
1369 // turn field off
1370 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1371 LED_A_OFF();
1372
1373 }
1374 void T55xxWriteBlockExt_1of4 (uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1375
1376 LED_A_ON();
1377 bool PwdMode = arg & 0x1;
1378 uint8_t Page = (arg & 0x2)>>1;
1379 bool testMode = arg & 0x4;
1380 int bitpos;
1381 uint8_t bits;
1382
1383 // Set up FPGA, 125kHz
1384 LFSetupFPGAForADC(95, true);
1385 StartTicks();
1386 // make sure tag is fully powered up...
1387 WaitMS(5);
1388 // Trigger T55x7 in mode.
1389 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1390
1391
1392 WaitUS(START_GAP1of4);
1393
1394
1395 /*
1396 00 : 1 if 4
1397 11 : Opcode
1398 00 : Fixed 00 if protected write (i.e. have password)
1399 <32 bit Password>
1400 0 : Lock Bit
1401 <32 bit data>
1402 <3 bit addr>
1403
1404 Standard Write : 00 1p L <32 data bits> <3 bit addr>
1405 00 10 0 00000000000000000000000000000000 001
1406 Protected Write: 00 1p 00 <32 pwd bits> L <32 data bits> <3 bit addr>
1407 00 10 00 00000000000000000000000000000000 0 00000000000000000000000000000000 001
1408 Wake Up 00 10 00 <32 pwd bits>
1409 Protected Read 00 1p 00 <32 pwd bits> 0 <3 bit addr>
1410 Standard Read 00 1p 0 <3 bit addr>
1411 Page 0/1 read 00 1p
1412 Reset 00 00
1413
1414 */
1415 T55xxWriteBit_1of4 (0); //Send Reference 00
1416
1417 if (testMode) Dbprintf("TestMODE");
1418 // Std Opcode 10
1419 if (testMode) bits = 0; else bits = 2; // 0x or 1x
1420 if (testMode) bits |= 1; else bits += (Page); // x0 or x1
1421 T55xxWriteBit_1of4 (bits);
1422
1423 if (PwdMode) {
1424 // 1 of 4 00 - insert two fixed 00 between opcode and password
1425 T55xxWriteBit_1of4 (0); // 00
1426
1427 // Send Pwd
1428 for (bitpos = 31; bitpos >= 1; bitpos -= 2) { // 2 bits at a time
1429 bits = (((Pwd >> bitpos) & 1) << 1) + ((Pwd >> (bitpos-1)) & 1);
1430 T55xxWriteBit_1of4 (bits);
1431 }
1432 }
1433
1434 // Send Lock bit
1435 bits = 0; // Add lock bit (Not Set) to the next 2 bits
1436
1437 // Send Data - offset by 1 bit due to lock bit
1438 // 2 bits at a time - Initilised with lock bit above
1439 for (bitpos = 31; bitpos >= 1; bitpos -= 2) {
1440 bits |= ((Data >> bitpos) & 1); // Add Low bit
1441 T55xxWriteBit_1of4 (bits);
1442 bits = ((Data >> (bitpos-1)) & 1) << 1; // Set next high bit
1443 }
1444
1445 // Send Block number
1446 bits |= ((Block >> 2) & 1);
1447 T55xxWriteBit_1of4 (bits);
1448 bits = (Block & 3);// 1) & 2) + (Block & 1);
1449 T55xxWriteBit_1of4 (bits);
1450
1451 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1452 // so wait a little more)
1453 // "there is a clock delay before programming"
1454 // - programming takes ~5.6ms for t5577 ~18ms for E5550 or t5567
1455 // so we should wait 1 clock + 5.6ms then read response?
1456 // but we need to know we are dealing with t5577 vs t5567 vs e5550 (or q5) marshmellow...
1457 if (testMode) {
1458 //TESTMODE TIMING TESTS:
1459 // <566us does nothing
1460 // 566-568 switches between wiping to 0s and doing nothing
1461 // 5184 wipes and allows 1 block to be programmed.
1462 // indefinite power on wipes and then programs all blocks with bitshifted data sent.
1463 TurnReadLFOn(5184);
1464
1465 } else {
1466 TurnReadLFOn(20 * 1000);
1467 //could attempt to do a read to confirm write took
1468 // as the tag should repeat back the new block
1469 // until it is reset, but to confirm it we would
1470 // need to know the current block 0 config mode for
1471 // modulation clock an other details to demod the response...
1472 // response should be (for t55x7) a 0 bit then (ST if on)
1473 // block data written in on repeat until reset.
1474
1475 //DoPartialAcquisition(20, true, 12000);
1476 }
1477
1478 // turn field off
1479 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1480 LED_A_OFF();
1481
1482 }
1483
1484 // Send T5577 reset command then read stream (see if we can identify the start of the stream)
1485 void T55xxResetRead(void) {
1486 LED_A_ON();
1487 //clear buffer now so it does not interfere with timing later
1488 BigBuf_Clear_keep_EM();
1489
1490 // Set up FPGA, 125kHz
1491 LFSetupFPGAForADC(95, true);
1492 StartTicks();
1493 // make sure tag is fully powered up...
1494 WaitMS(5);
1495
1496 // Trigger T55x7 in mode.
1497 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1498 WaitUS(START_GAP);
1499
1500 // reset tag - op code 00
1501 T55xxWriteBit(0);
1502 T55xxWriteBit(0);
1503
1504 TurnReadLFOn(READ_GAP);
1505
1506 // Acquisition
1507 DoPartialAcquisition(0, true, BigBuf_max_traceLen(), 0);
1508
1509 // Turn the field off
1510 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1511 cmd_send(CMD_ACK,0,0,0,0,0);
1512 LED_A_OFF();
1513 }
1514
1515 // Write one card block in page 0, no lock
1516 void T55xxWriteBlockExt(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1517 LED_A_ON();
1518 bool PwdMode = arg & 0x1;
1519 uint8_t Page = (arg & 0x2)>>1;
1520 bool testMode = arg & 0x4;
1521 uint32_t i = 0;
1522
1523 // Set up FPGA, 125kHz
1524 LFSetupFPGAForADC(95, true);
1525 StartTicks();
1526 // make sure tag is fully powered up...
1527 WaitMS(5);
1528 // Trigger T55x7 in mode.
1529 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1530 WaitUS(START_GAP);
1531
1532 if (testMode) Dbprintf("TestMODE");
1533 // Std Opcode 10
1534 T55xxWriteBit(testMode ? 0 : 1);
1535 T55xxWriteBit(testMode ? 1 : Page); //Page 0
1536
1537 if (PwdMode) {
1538 // Send Pwd
1539 for (i = 0x80000000; i != 0; i >>= 1)
1540 T55xxWriteBit(Pwd & i);
1541 }
1542 // Send Lock bit
1543 T55xxWriteBit(0);
1544
1545 // Send Data
1546 for (i = 0x80000000; i != 0; i >>= 1)
1547 T55xxWriteBit(Data & i);
1548
1549 // Send Block number
1550 for (i = 0x04; i != 0; i >>= 1)
1551 T55xxWriteBit(Block & i);
1552
1553 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1554 // so wait a little more)
1555
1556 // "there is a clock delay before programming"
1557 // - programming takes ~5.6ms for t5577 ~18ms for E5550 or t5567
1558 // so we should wait 1 clock + 5.6ms then read response?
1559 // but we need to know we are dealing with t5577 vs t5567 vs e5550 (or q5) marshmellow...
1560 if (testMode) {
1561 //TESTMODE TIMING TESTS:
1562 // <566us does nothing
1563 // 566-568 switches between wiping to 0s and doing nothing
1564 // 5184 wipes and allows 1 block to be programmed.
1565 // indefinite power on wipes and then programs all blocks with bitshifted data sent.
1566 TurnReadLFOn(5184);
1567
1568 } else {
1569 TurnReadLFOn(20 * 1000);
1570 //could attempt to do a read to confirm write took
1571 // as the tag should repeat back the new block
1572 // until it is reset, but to confirm it we would
1573 // need to know the current block 0 config mode for
1574 // modulation clock an other details to demod the response...
1575 // response should be (for t55x7) a 0 bit then (ST if on)
1576 // block data written in on repeat until reset.
1577
1578 //DoPartialAcquisition(20, true, 12000);
1579 }
1580
1581 // turn field off
1582 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1583 LED_A_OFF();
1584 }
1585
1586 // Write one card block in page 0, no lock
1587 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1588 // arg 8 bit 00000000
1589 // 0000000x Password
1590 // 000000x0 Page
1591 // 00000x00 Test Mode
1592 // 000xx000 (0x18) where xx : 00 - Normal Write, 01 - Long Leading Reference
1593 // 10 - Leading 0, 11 - 1 of 4
1594 uint8_t downlink_mode;
1595
1596 downlink_mode = (arg >> 3) & 0x03;
1597
1598 switch (downlink_mode)
1599 {
1600 case 0 : T55xxWriteBlockExt (Data, Block, Pwd, arg); break;
1601 case 1 : T55xxWrite_LLR ();
1602 T55xxWriteBlockExt (Data, Block, Pwd, arg);
1603 break;
1604 case 2 : T55xxWriteBlockExt_Leading0 (Data, Block, Pwd, arg); break;
1605 case 3 : T55xxWriteBlockExt_1of4 (Data, Block, Pwd, arg); break;
1606
1607 default:
1608 T55xxWriteBlockExt (Data, Block, Pwd, arg);
1609 }
1610
1611 cmd_send(CMD_ACK,0,0,0,0,0);
1612 }
1613
1614 // Read one card block in page [page]
1615 void T55xxReadBlockExt (uint16_t arg0, uint8_t Block, uint32_t Pwd) {
1616 LED_A_ON();
1617 bool PwdMode = arg0 & 0x1;
1618 uint8_t Page = (arg0 & 0x2) >> 1;
1619 uint32_t i = 0;
1620 bool RegReadMode = (Block == 0xFF);//regular read mode
1621
1622 //clear buffer now so it does not interfere with timing later
1623 BigBuf_Clear_ext(false);
1624
1625 //make sure block is at max 7
1626 Block &= 0x7;
1627
1628 // Set up FPGA, 125kHz to power up the tag
1629 LFSetupFPGAForADC(95, true);
1630 StartTicks();
1631 // make sure tag is fully powered up...
1632 WaitMS(5);
1633 // Trigger T55x7 Direct Access Mode with start gap
1634 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1635 WaitUS(START_GAP);
1636
1637 // Opcode 1[page]
1638 T55xxWriteBit(1);
1639 T55xxWriteBit(Page); //Page 0
1640
1641 if (PwdMode){
1642 // Send Pwd
1643 for (i = 0x80000000; i != 0; i >>= 1)
1644 T55xxWriteBit(Pwd & i);
1645 }
1646 // Send a zero bit separation
1647 T55xxWriteBit(0);
1648
1649 // Send Block number (if direct access mode)
1650 if (!RegReadMode)
1651 for (i = 0x04; i != 0; i >>= 1)
1652 T55xxWriteBit(Block & i);
1653
1654 // Turn field on to read the response
1655 // 137*8 seems to get to the start of data pretty well...
1656 // but we want to go past the start and let the repeating data settle in...
1657 TurnReadLFOn(210*8);
1658
1659 // Acquisition
1660 // Now do the acquisition
1661 DoPartialAcquisition(0, true, 12000, 0);
1662
1663 // Turn the field off
1664 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1665 // cmd_send(CMD_ACK,0,0,0,0,0);
1666 LED_A_OFF();
1667 }
1668
1669 void T55xxReadBlockExt_Leading0 (uint16_t arg0, uint8_t Block, uint32_t Pwd) {
1670 LED_A_ON();
1671 bool PwdMode = arg0 & 0x1;
1672 uint8_t Page = (arg0 & 0x2) >> 1;
1673 uint32_t i = 0;
1674 bool RegReadMode = (Block == 0xFF);//regular read mode
1675
1676 //clear buffer now so it does not interfere with timing later
1677 BigBuf_Clear_ext(false);
1678
1679 //make sure block is at max 7
1680 Block &= 0x7;
1681
1682 // Set up FPGA, 125kHz to power up the tag
1683 LFSetupFPGAForADC(95, true);
1684 StartTicks();
1685 // make sure tag is fully powered up...
1686 WaitMS(5);
1687 // Trigger T55x7 Direct Access Mode with start gap
1688 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1689 WaitUS(START_GAPlz);
1690
1691 T55xxWriteBit_Leading0 (0);
1692
1693 // Opcode 1[page]
1694 T55xxWriteBit_Leading0 (1);
1695 T55xxWriteBit_Leading0 (Page); //Page 0
1696
1697 if (PwdMode){
1698 // Send Pwd
1699 T55xxWriteBit_Leading0 (0);
1700 T55xxWriteBit_Leading0 (0);
1701
1702 for (i = 0x80000000; i != 0; i >>= 1)
1703 T55xxWriteBit_Leading0 (Pwd & i);
1704 }
1705 // Send a zero bit separation
1706 T55xxWriteBit_Leading0(0);
1707
1708 // Send Block number (if direct access mode)
1709 if (!RegReadMode)
1710 for (i = 0x04; i != 0; i >>= 1)
1711 T55xxWriteBit_Leading0(Block & i);
1712
1713 // Turn field on to read the response
1714 // 137*8 seems to get to the start of data pretty well...
1715 // but we want to go past the start and let the repeating data settle in...
1716 TurnReadLFOn(210*8);
1717
1718 // Acquisition
1719 // Now do the acquisition
1720 DoPartialAcquisition(0, true, 12000, 0);
1721
1722 // Turn the field off
1723 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1724 // cmd_send(CMD_ACK,0,0,0,0,0);
1725 LED_A_OFF();
1726 }
1727
1728 void T55xxReadBlockExt_1of4 (uint16_t arg0, uint8_t Block, uint32_t Pwd) {
1729 LED_A_ON();
1730 bool PwdMode = arg0 & 0x1;
1731 uint8_t Page = (arg0 & 0x2) >> 1;
1732 //uint32_t i = 0;
1733 bool RegReadMode = (Block == 0xFF);//regular read mode
1734 uint8_t bits;
1735 int bitpos;
1736
1737 //clear buffer now so it does not interfere with timing later
1738 BigBuf_Clear_ext(false);
1739
1740 //make sure block is at max 7
1741 Block &= 0x7;
1742
1743 // Set up FPGA, 125kHz to power up the tag
1744 LFSetupFPGAForADC(95, true);
1745 StartTicks();
1746 // make sure tag is fully powered up...
1747 WaitMS(5);
1748 // Trigger T55x7 Direct Access Mode with start gap
1749 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1750 WaitUS(START_GAP1of4);
1751
1752 T55xxWriteBit_1of4 (0); // 2 Bit 00 leading reference
1753
1754 // Opcode 1[page]
1755 bits = 2 + Page;
1756 T55xxWriteBit_1of4 (bits);
1757
1758 if (PwdMode) {
1759 // 1 of 4 00 - insert two fixed 00 between opcode and password
1760 T55xxWriteBit_1of4 (0); // 00
1761
1762 // Send Pwd
1763 for (bitpos = 31; bitpos >= 1; bitpos -= 2) { // 2 bits at a time
1764 bits = (((Pwd >> bitpos) & 1) << 1) + ((Pwd >> (bitpos-1)) & 1);
1765 T55xxWriteBit_1of4 (bits);
1766 }
1767 }
1768
1769 // Send Lock bit
1770 bits = 0; // Add lock bit (Not Set) to the next 2 bits
1771
1772 // Send Block number (if direct access mode)
1773 if (!RegReadMode){
1774 // Send Block number
1775 bits += ((Block >> 2) & 1);
1776 T55xxWriteBit_1of4 (bits);
1777 bits = (Block & 3); // + (Block & 1);
1778 T55xxWriteBit_1of4 (bits);
1779 }
1780
1781 // Turn field on to read the response
1782 // 137*8 seems to get to the start of data pretty well...
1783 // but we want to go past the start and let the repeating data settle in...
1784 TurnReadLFOn(210*8);
1785
1786 // Acquisition
1787 // Now do the acquisition
1788 DoPartialAcquisition(0, true, 12000, 0);
1789 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1790 // cmd_send(CMD_ACK,0,0,0,0,0);
1791 LED_A_OFF();
1792 }
1793
1794 void T55xxReadBlock (uint16_t arg0, uint8_t Block, uint32_t Pwd) {
1795 // arg0 16 bit 00000000
1796 // 0000000x Password
1797 // 000000x0 Page
1798 // 00000x00
1799 // 000xx000 (0x18) where xx : 00 - Normal Write, 01 - Long Leading Reference
1800 // 10 - Leading 0, 11 - 1 of 4
1801 uint8_t downlink_mode;
1802
1803 downlink_mode = (arg0 >> 3) & 0x03;
1804
1805 // downlink mode id set to match the 2 bit as per Tech Sheet
1806 switch (downlink_mode)
1807 {
1808 case 0 : T55xxReadBlockExt (arg0, Block, Pwd); break;
1809 case 1 : T55xxWrite_LLR ();
1810 T55xxReadBlockExt (arg0, Block, Pwd);
1811 break;
1812 case 2 : T55xxReadBlockExt_Leading0 (arg0, Block, Pwd); break;
1813 case 3 : T55xxReadBlockExt_1of4 (arg0, Block, Pwd); break;
1814 default:
1815 T55xxReadBlockExt (arg0, Block, Pwd) ;
1816 }
1817
1818 // T55xxReadBlockExt (arg0, Block, Pwd) ;
1819 cmd_send(CMD_ACK,0,0,0,0,0);
1820 }
1821
1822 void T55xxWakeUp(uint32_t Pwd){
1823 LED_B_ON();
1824 uint32_t i = 0;
1825
1826 // Set up FPGA, 125kHz
1827 LFSetupFPGAForADC(95, true);
1828 StartTicks();
1829 // make sure tag is fully powered up...
1830 WaitMS(5);
1831
1832 // Trigger T55x7 Direct Access Mode
1833 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1834 WaitUS(START_GAP);
1835
1836 // Opcode 10
1837 T55xxWriteBit(1);
1838 T55xxWriteBit(0); //Page 0
1839
1840 // Send Pwd
1841 for (i = 0x80000000; i != 0; i >>= 1)
1842 T55xxWriteBit(Pwd & i);
1843
1844 // Turn and leave field on to let the begin repeating transmission
1845 TurnReadLFOn(20*1000);
1846 }
1847
1848 /*-------------- Cloning routines -----------*/
1849
1850 void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
1851 // write last block first and config block last (if included)
1852 for (uint8_t i = numblocks+startblock; i > startblock; i--) {
1853 T55xxWriteBlockExt(blockdata[i-1],i-1,0,0);
1854 }
1855 }
1856
1857 // Copy a HID-like card (e.g. HID Proximity, Paradox) to a T55x7 compatible card
1858 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, uint8_t preamble) {
1859 uint32_t data[] = {0,0,0,0,0,0,0};
1860 uint8_t last_block = 0;
1861
1862 if (longFMT) {
1863 // Ensure no more than 84 bits supplied
1864 if (hi2>0xFFFFF) {
1865 DbpString("Tags can only have 84 bits.");
1866 return;
1867 }
1868 // Build the 6 data blocks for supplied 84bit ID
1869 last_block = 6;
1870 // load preamble & long format identifier (9E manchester encoded)
1871 data[1] = (preamble << 24) | 0x96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
1872 // load raw id from hi2, hi, lo to data blocks (manchester encoded)
1873 data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
1874 data[3] = manchesterEncode2Bytes(hi >> 16);
1875 data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
1876 data[5] = manchesterEncode2Bytes(lo >> 16);
1877 data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
1878 } else {
1879 // Ensure no more than 44 bits supplied
1880 if (hi>0xFFF) {
1881 DbpString("Tags can only have 44 bits.");
1882 return;
1883 }
1884 // Build the 3 data blocks for supplied 44bit ID
1885 last_block = 3;
1886 // load preamble
1887 data[1] = (preamble << 24) | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
1888 data[2] = manchesterEncode2Bytes(lo >> 16);
1889 data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
1890 }
1891 // load chip config block
1892 data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
1893
1894 //TODO add selection of chip for Q5 or T55x7
1895 // data[0] = (((50-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
1896
1897 LED_D_ON();
1898 // Program the data blocks for supplied ID
1899 // and the block 0 for HID format
1900 WriteT55xx(data, 0, last_block+1);
1901
1902 LED_D_OFF();
1903
1904 DbpString("DONE!");
1905 }
1906
1907 void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
1908 uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1909 //TODO add selection of chip for Q5 or T55x7
1910 // data[0] = (((64-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 2 << T5555_MAXBLOCK_SHIFT;
1911
1912 LED_D_ON();
1913 // Program the data blocks for supplied ID
1914 // and the block 0 config
1915 WriteT55xx(data, 0, 3);
1916
1917 LED_D_OFF();
1918
1919 DbpString("DONE!");
1920 }
1921
1922 // Clone Indala 64-bit tag by UID to T55x7
1923 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
1924 //Program the 2 data blocks for supplied 64bit UID
1925 // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
1926 uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1927 //TODO add selection of chip for Q5 or T55x7
1928 // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
1929
1930 WriteT55xx(data, 0, 3);
1931 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
1932 // T5567WriteBlock(0x603E1042,0);
1933 DbpString("DONE!");
1934 }
1935 // Clone Indala 224-bit tag by UID to T55x7
1936 void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
1937 //Program the 7 data blocks for supplied 224bit UID
1938 uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
1939 // and the block 0 for Indala224 format
1940 //Config for Indala (RF/32;PSK2 with RF/2;Maxblock=7)
1941 data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT);
1942 //TODO add selection of chip for Q5 or T55x7
1943 // data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK2 | 7 << T5555_MAXBLOCK_SHIFT;
1944 WriteT55xx(data, 0, 8);
1945 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
1946 // T5567WriteBlock(0x603E10E2,0);
1947 DbpString("DONE!");
1948 }
1949 // clone viking tag to T55xx
1950 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
1951 uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
1952 if (Q5) data[0] = T5555_SET_BITRATE(32) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
1953 // Program the data blocks for supplied ID and the block 0 config
1954 WriteT55xx(data, 0, 3);
1955 LED_D_OFF();
1956 cmd_send(CMD_ACK,0,0,0,0,0);
1957 }
1958
1959 // Define 9bit header for EM410x tags
1960 #define EM410X_HEADER 0x1FF
1961 #define EM410X_ID_LENGTH 40
1962
1963 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
1964 int i, id_bit;
1965 uint64_t id = EM410X_HEADER;
1966 uint64_t rev_id = 0; // reversed ID
1967 int c_parity[4]; // column parity
1968 int r_parity = 0; // row parity
1969 uint32_t clock = 0;
1970
1971 // Reverse ID bits given as parameter (for simpler operations)
1972 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1973 if (i < 32) {
1974 rev_id = (rev_id << 1) | (id_lo & 1);
1975 id_lo >>= 1;
1976 } else {
1977 rev_id = (rev_id << 1) | (id_hi & 1);
1978 id_hi >>= 1;
1979 }
1980 }
1981
1982 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1983 id_bit = rev_id & 1;
1984
1985 if (i % 4 == 0) {
1986 // Don't write row parity bit at start of parsing
1987 if (i)
1988 id = (id << 1) | r_parity;
1989 // Start counting parity for new row
1990 r_parity = id_bit;
1991 } else {
1992 // Count row parity
1993 r_parity ^= id_bit;
1994 }
1995
1996 // First elements in column?
1997 if (i < 4)
1998 // Fill out first elements
1999 c_parity[i] = id_bit;
2000 else
2001 // Count column parity
2002 c_parity[i % 4] ^= id_bit;
2003
2004 // Insert ID bit
2005 id = (id << 1) | id_bit;
2006 rev_id >>= 1;
2007 }
2008
2009 // Insert parity bit of last row
2010 id = (id << 1) | r_parity;
2011
2012 // Fill out column parity at the end of tag
2013 for (i = 0; i < 4; ++i)
2014 id = (id << 1) | c_parity[i];
2015
2016 // Add stop bit
2017 id <<= 1;
2018
2019 Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
2020 LED_D_ON();
2021
2022 // Write EM410x ID
2023 uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)};
2024
2025 clock = (card & 0xFF00) >> 8;
2026 clock = (clock == 0) ? 64 : clock;
2027 Dbprintf("Clock rate: %d", clock);
2028 if (card & 0xFF) { //t55x7
2029 clock = GetT55xxClockBit(clock);
2030 if (clock == 0) {
2031 Dbprintf("Invalid clock rate: %d", clock);
2032 return;
2033 }
2034 data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
2035 } else { //t5555 (Q5)
2036 data[0] = T5555_SET_BITRATE(clock) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
2037 }
2038
2039 WriteT55xx(data, 0, 3);
2040
2041 LED_D_OFF();
2042 Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555",
2043 (uint32_t)(id >> 32), (uint32_t)id);
2044 }
2045
2046 //-----------------------------------
2047 // EM4469 / EM4305 routines
2048 //-----------------------------------
2049 #define FWD_CMD_LOGIN 0xC //including the even parity, binary mirrored
2050 #define FWD_CMD_WRITE 0xA
2051 #define FWD_CMD_READ 0x9
2052 #define FWD_CMD_DISABLE 0x5
2053
2054 uint8_t forwardLink_data[64]; //array of forwarded bits
2055 uint8_t * forward_ptr; //ptr for forward message preparation
2056 uint8_t fwd_bit_sz; //forwardlink bit counter
2057 uint8_t * fwd_write_ptr; //forwardlink bit pointer
2058
2059 //====================================================================
2060 // prepares command bits
2061 // see EM4469 spec
2062 //====================================================================
2063 //--------------------------------------------------------------------
2064 // VALUES TAKEN FROM EM4x function: SendForward
2065 // START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
2066 // WRITE_GAP = 128; (16*8)
2067 // WRITE_1 = 256 32*8; (32*8)
2068
2069 // These timings work for 4469/4269/4305 (with the 55*8 above)
2070 // WRITE_0 = 23*8 , 9*8 SpinDelayUs(23*8);
2071
2072 uint8_t Prepare_Cmd( uint8_t cmd ) {
2073
2074 *forward_ptr++ = 0; //start bit
2075 *forward_ptr++ = 0; //second pause for 4050 code
2076
2077 *forward_ptr++ = cmd;
2078 cmd >>= 1;
2079 *forward_ptr++ = cmd;
2080 cmd >>= 1;
2081 *forward_ptr++ = cmd;
2082 cmd >>= 1;
2083 *forward_ptr++ = cmd;
2084
2085 return 6; //return number of emited bits
2086 }
2087
2088 //====================================================================
2089 // prepares address bits
2090 // see EM4469 spec
2091 //====================================================================
2092 uint8_t Prepare_Addr( uint8_t addr ) {
2093
2094 register uint8_t line_parity;
2095
2096 uint8_t i;
2097 line_parity = 0;
2098 for(i=0;i<6;i++) {
2099 *forward_ptr++ = addr;
2100 line_parity ^= addr;
2101 addr >>= 1;
2102 }
2103
2104 *forward_ptr++ = (line_parity & 1);
2105
2106 return 7; //return number of emited bits
2107 }
2108
2109 //====================================================================
2110 // prepares data bits intreleaved with parity bits
2111 // see EM4469 spec
2112 //====================================================================
2113 uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
2114
2115 register uint8_t line_parity;
2116 register uint8_t column_parity;
2117 register uint8_t i, j;
2118 register uint16_t data;
2119
2120 data = data_low;
2121 column_parity = 0;
2122
2123 for(i=0; i<4; i++) {
2124 line_parity = 0;
2125 for(j=0; j<8; j++) {
2126 line_parity ^= data;
2127 column_parity ^= (data & 1) << j;
2128 *forward_ptr++ = data;
2129 data >>= 1;
2130 }
2131 *forward_ptr++ = line_parity;
2132 if(i == 1)
2133 data = data_hi;
2134 }
2135
2136 for(j=0; j<8; j++) {
2137 *forward_ptr++ = column_parity;
2138 column_parity >>= 1;
2139 }
2140 *forward_ptr = 0;
2141
2142 return 45; //return number of emited bits
2143 }
2144
2145 //====================================================================
2146 // Forward Link send function
2147 // Requires: forwarLink_data filled with valid bits (1 bit per byte)
2148 // fwd_bit_count set with number of bits to be sent
2149 //====================================================================
2150 void SendForward(uint8_t fwd_bit_count) {
2151
2152 fwd_write_ptr = forwardLink_data;
2153 fwd_bit_sz = fwd_bit_count;
2154
2155 // Set up FPGA, 125kHz or 95 divisor
2156 LFSetupFPGAForADC(95, true);
2157
2158 // force 1st mod pulse (start gap must be longer for 4305)
2159 fwd_bit_sz--; //prepare next bit modulation
2160 fwd_write_ptr++;
2161 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
2162 WaitUS(55*8); //55 cycles off (8us each)for 4305 //another reader has 37 here...
2163 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
2164 WaitUS(18*8); //18 cycles on (8us each)
2165
2166 // now start writting
2167 while(fwd_bit_sz-- > 0) { //prepare next bit modulation
2168 if(((*fwd_write_ptr++) & 1) == 1)
2169 WaitUS(32*8); //32 cycles at 125Khz (8us each)
2170 else {
2171 //These timings work for 4469/4269/4305 (with the 55*8 above)
2172 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
2173 WaitUS(23*8); //23 cycles off (8us each)
2174 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
2175 WaitUS(18*8); //18 cycles on (8us each)
2176 }
2177 }
2178 }
2179
2180 void EM4xLogin(uint32_t Password) {
2181
2182 uint8_t fwd_bit_count;
2183
2184 forward_ptr = forwardLink_data;
2185 fwd_bit_count = Prepare_Cmd( FWD_CMD_LOGIN );
2186 fwd_bit_count += Prepare_Data( Password&0xFFFF, Password>>16 );
2187
2188 SendForward(fwd_bit_count);
2189
2190 //Wait for command to complete
2191 SpinDelay(20);
2192 }
2193
2194 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
2195
2196 uint8_t fwd_bit_count;
2197
2198 // Clear destination buffer before sending the command
2199 BigBuf_Clear_ext(false);
2200
2201 LED_A_ON();
2202 StartTicks();
2203 //If password mode do login
2204 if (PwdMode == 1) EM4xLogin(Pwd);
2205
2206 forward_ptr = forwardLink_data;
2207 fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
2208 fwd_bit_count += Prepare_Addr( Address );
2209
2210 SendForward(fwd_bit_count);
2211 WaitUS(400);
2212 // Now do the acquisition
2213 DoPartialAcquisition(20, true, 6000, 1000);
2214
2215 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
2216 LED_A_OFF();
2217 cmd_send(CMD_ACK,0,0,0,0,0);
2218 }
2219
2220 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
2221
2222 bool PwdMode = (flag & 0xF);
2223 uint8_t Address = (flag >> 8) & 0xFF;
2224 uint8_t fwd_bit_count;
2225
2226 //clear buffer now so it does not interfere with timing later
2227 BigBuf_Clear_ext(false);
2228
2229 LED_A_ON();
2230 StartTicks();
2231 //If password mode do login
2232 if (PwdMode) EM4xLogin(Pwd);
2233
2234 forward_ptr = forwardLink_data;
2235 fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
2236 fwd_bit_count += Prepare_Addr( Address );
2237 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
2238
2239 SendForward(fwd_bit_count);
2240
2241 //Wait for write to complete
2242 //SpinDelay(10);
2243
2244 WaitUS(6500);
2245 //Capture response if one exists
2246 DoPartialAcquisition(20, true, 6000, 1000);
2247
2248 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
2249 LED_A_OFF();
2250 cmd_send(CMD_ACK,0,0,0,0,0);
2251 }
2252 /*
2253 Reading a COTAG.
2254
2255 COTAG needs the reader to send a startsequence and the card has an extreme slow datarate.
2256 because of this, we can "sample" the data signal but we interpreate it to Manchester direct.
2257
2258 READER START SEQUENCE:
2259 burst 800 us, gap 2.2 msecs
2260 burst 3.6 msecs gap 2.2 msecs
2261 burst 800 us gap 2.2 msecs
2262 pulse 3.6 msecs
2263
2264 This triggers a COTAG tag to response
2265 */
2266 void Cotag(uint32_t arg0) {
2267
2268 #define OFF { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2035); }
2269 #define ON(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
2270
2271 uint8_t rawsignal = arg0 & 0xF;
2272
2273 LED_A_ON();
2274
2275 // Switching to LF image on FPGA. This might empty BigBuff
2276 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
2277
2278 //clear buffer now so it does not interfere with timing later
2279 BigBuf_Clear_ext(false);
2280
2281 // Set up FPGA, 132kHz to power up the tag
2282 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89);
2283 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
2284
2285 // Connect the A/D to the peak-detected low-frequency path.
2286 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
2287
2288 // Now set up the SSC to get the ADC samples that are now streaming at us.
2289 FpgaSetupSsc(FPGA_MAJOR_MODE_LF_ADC);
2290
2291 // start clock - 1.5ticks is 1us
2292 StartTicks();
2293
2294 //send COTAG start pulse
2295 ON(740) OFF
2296 ON(3330) OFF
2297 ON(740) OFF
2298 ON(1000)
2299
2300 switch(rawsignal) {
2301 case 0: doCotagAcquisition(50000); break;
2302 case 1: doCotagAcquisitionManchester(); break;
2303 case 2: DoAcquisition_config(true, 0); break;
2304 }
2305
2306 // Turn the field off
2307 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
2308 cmd_send(CMD_ACK,0,0,0,0,0);
2309 LED_A_OFF();
2310 }
Impressum, Datenschutz