]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/lfops.c
projects / proxmark3-svn / blob
? search:


c6aecf0fca176d15f18758cc9f714cdd30345cab
[proxmark3-svn] / armsrc / lfops.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Miscellaneous routines for low frequency tag operations.
7 // Tags supported here so far are Texas Instruments (TI), HID, EM4x05, EM410x
8 // Also routines for raw mode reading/simulating of LF waveform
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "hitag2.h"
15 #include "crc16.h"
16 #include "string.h"
17 #include "lfdemod.h"
18 #include "lfsampling.h"
19 #include "protocols.h"
20 #include "usb_cdc.h" // for usb_poll_validate_length
21 #include "fpgaloader.h"
22
23 /**
24 * Function to do a modulation and then get samples.
25 * @param delay_off
26 * @param period_0
27 * @param period_1
28 * @param command
29 */
30 void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command)
31 {
32 // start timer
33 StartTicks();
34
35 // use lf config settings
36 sample_config *sc = getSamplingConfig();
37
38 // Make sure the tag is reset
39 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
40 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
41 WaitMS(2500);
42
43 // clear read buffer (after fpga bitstream loaded...)
44 BigBuf_Clear_keep_EM();
45
46 // power on
47 LFSetupFPGAForADC(sc->divisor, 1);
48
49 // And a little more time for the tag to fully power up
50 WaitMS(2000);
51 // if delay_off = 0 then just bitbang 1 = antenna on 0 = off for respective periods.
52 bool bitbang = delay_off == 0;
53 // now modulate the reader field
54
55 if (bitbang) {
56 // HACK it appears the loop and if statements take up about 7us so adjust waits accordingly...
57 uint8_t hack_cnt = 7;
58 if (period_0 < hack_cnt || period_1 < hack_cnt) {
59 DbpString("Warning periods cannot be less than 7us in bit bang mode");
60 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
61 LED_D_OFF();
62 return;
63 }
64
65 // hack2 needed--- it appears to take about 8-16us to turn the antenna back on
66 // leading to ~ 1 to 2 125khz samples extra in every off period
67 // so we should test for last 0 before next 1 and reduce period_0 by this extra amount...
68 // but is this time different for every antenna or other hw builds??? more testing needed
69
70 // prime cmd_len to save time comparing strings while modulating
71 int cmd_len = 0;
72 while(command[cmd_len] != '\0' && command[cmd_len] != ' ')
73 cmd_len++;
74
75 int counter = 0;
76 bool off = false;
77 for (counter = 0; counter < cmd_len; counter++) {
78 // if cmd = 0 then turn field off
79 if (command[counter] == '0') {
80 // if field already off leave alone (affects timing otherwise)
81 if (off == false) {
82 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
83 LED_D_OFF();
84 off = true;
85 }
86 // note we appear to take about 7us to switch over (or run the if statements/loop...)
87 WaitUS(period_0-hack_cnt);
88 // else if cmd = 1 then turn field on
89 } else {
90 // if field already on leave alone (affects timing otherwise)
91 if (off) {
92 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
93 LED_D_ON();
94 off = false;
95 }
96 // note we appear to take about 7us to switch over (or run the if statements/loop...)
97 WaitUS(period_1-hack_cnt);
98 }
99 }
100 } else { // old mode of cmd read using delay as off period
101 while(*command != '\0' && *command != ' ') {
102 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
103 LED_D_OFF();
104 WaitUS(delay_off);
105 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
106 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
107 LED_D_ON();
108 if(*(command++) == '0') {
109 WaitUS(period_0);
110 } else {
111 WaitUS(period_1);
112 }
113 }
114 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
115 LED_D_OFF();
116 WaitUS(delay_off);
117 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
118 }
119
120 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
121
122 // now do the read
123 DoAcquisition_config(false, 0);
124
125 // Turn off antenna
126 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
127 // tell client we are done
128 cmd_send(CMD_ACK,0,0,0,0,0);
129 }
130
131 /* blank r/w tag data stream
132 ...0000000000000000 01111111
133 1010101010101010101010101010101010101010101010101010101010101010
134 0011010010100001
135 01111111
136 101010101010101[0]000...
137
138 [5555fe852c5555555555555555fe0000]
139 */
140 void ReadTItag(void)
141 {
142 // some hardcoded initial params
143 // when we read a TI tag we sample the zerocross line at 2Mhz
144 // TI tags modulate a 1 as 16 cycles of 123.2Khz
145 // TI tags modulate a 0 as 16 cycles of 134.2Khz
146 #define FSAMPLE 2000000
147 #define FREQLO 123200
148 #define FREQHI 134200
149
150 signed char *dest = (signed char *)BigBuf_get_addr();
151 uint16_t n = BigBuf_max_traceLen();
152 // 128 bit shift register [shift3:shift2:shift1:shift0]
153 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
154
155 int i, cycles=0, samples=0;
156 // how many sample points fit in 16 cycles of each frequency
157 uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;
158 // when to tell if we're close enough to one freq or another
159 uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
160
161 // TI tags charge at 134.2Khz
162 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
163 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
164
165 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
166 // connects to SSP_DIN and the SSP_DOUT logic level controls
167 // whether we're modulating the antenna (high)
168 // or listening to the antenna (low)
169 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
170
171 // get TI tag data into the buffer
172 AcquireTiType();
173
174 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
175
176 for (i=0; i<n-1; i++) {
177 // count cycles by looking for lo to hi zero crossings
178 if ( (dest[i]<0) && (dest[i+1]>0) ) {
179 cycles++;
180 // after 16 cycles, measure the frequency
181 if (cycles>15) {
182 cycles=0;
183 samples=i-samples; // number of samples in these 16 cycles
184
185 // TI bits are coming to us lsb first so shift them
186 // right through our 128 bit right shift register
187 shift0 = (shift0>>1) | (shift1 << 31);
188 shift1 = (shift1>>1) | (shift2 << 31);
189 shift2 = (shift2>>1) | (shift3 << 31);
190 shift3 >>= 1;
191
192 // check if the cycles fall close to the number
193 // expected for either the low or high frequency
194 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {
195 // low frequency represents a 1
196 shift3 |= (1<<31);
197 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {
198 // high frequency represents a 0
199 } else {
200 // probably detected a gay waveform or noise
201 // use this as gaydar or discard shift register and start again
202 shift3 = shift2 = shift1 = shift0 = 0;
203 }
204 samples = i;
205
206 // for each bit we receive, test if we've detected a valid tag
207
208 // if we see 17 zeroes followed by 6 ones, we might have a tag
209 // remember the bits are backwards
210 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {
211 // if start and end bytes match, we have a tag so break out of the loop
212 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {
213 cycles = 0xF0B; //use this as a flag (ugly but whatever)
214 break;
215 }
216 }
217 }
218 }
219 }
220
221 // if flag is set we have a tag
222 if (cycles!=0xF0B) {
223 DbpString("Info: No valid tag detected.");
224 } else {
225 // put 64 bit data into shift1 and shift0
226 shift0 = (shift0>>24) | (shift1 << 8);
227 shift1 = (shift1>>24) | (shift2 << 8);
228
229 // align 16 bit crc into lower half of shift2
230 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;
231
232 // if r/w tag, check ident match
233 if (shift3 & (1<<15) ) {
234 DbpString("Info: TI tag is rewriteable");
235 // only 15 bits compare, last bit of ident is not valid
236 if (((shift3 >> 16) ^ shift0) & 0x7fff ) {
237 DbpString("Error: Ident mismatch!");
238 } else {
239 DbpString("Info: TI tag ident is valid");
240 }
241 } else {
242 DbpString("Info: TI tag is readonly");
243 }
244
245 // WARNING the order of the bytes in which we calc crc below needs checking
246 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
247 // bytes in reverse or something
248 // calculate CRC
249 uint32_t crc=0;
250
251 crc = update_crc16(crc, (shift0)&0xff);
252 crc = update_crc16(crc, (shift0>>8)&0xff);
253 crc = update_crc16(crc, (shift0>>16)&0xff);
254 crc = update_crc16(crc, (shift0>>24)&0xff);
255 crc = update_crc16(crc, (shift1)&0xff);
256 crc = update_crc16(crc, (shift1>>8)&0xff);
257 crc = update_crc16(crc, (shift1>>16)&0xff);
258 crc = update_crc16(crc, (shift1>>24)&0xff);
259
260 Dbprintf("Info: Tag data: %x%08x, crc=%x",
261 (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
262 if (crc != (shift2&0xffff)) {
263 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
264 } else {
265 DbpString("Info: CRC is good");
266 }
267 }
268 }
269
270 void WriteTIbyte(uint8_t b)
271 {
272 int i = 0;
273
274 // modulate 8 bits out to the antenna
275 for (i=0; i<8; i++)
276 {
277 if (b&(1<<i)) {
278 // stop modulating antenna
279 LOW(GPIO_SSC_DOUT);
280 SpinDelayUs(1000);
281 // modulate antenna
282 HIGH(GPIO_SSC_DOUT);
283 SpinDelayUs(1000);
284 } else {
285 // stop modulating antenna
286 LOW(GPIO_SSC_DOUT);
287 SpinDelayUs(300);
288 // modulate antenna
289 HIGH(GPIO_SSC_DOUT);
290 SpinDelayUs(1700);
291 }
292 }
293 }
294
295 void AcquireTiType(void)
296 {
297 int i, j, n;
298 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
299 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
300 #define TIBUFLEN 1250
301
302 // clear buffer
303 uint32_t *BigBuf = (uint32_t *)BigBuf_get_addr();
304 BigBuf_Clear_ext(false);
305
306 // Set up the synchronous serial port
307 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
308 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
309
310 // steal this pin from the SSP and use it to control the modulation
311 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
312 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
313
314 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
315 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
316
317 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
318 // 48/2 = 24 MHz clock must be divided by 12
319 AT91C_BASE_SSC->SSC_CMR = 12;
320
321 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
322 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
323 AT91C_BASE_SSC->SSC_TCMR = 0;
324 AT91C_BASE_SSC->SSC_TFMR = 0;
325
326 LED_D_ON();
327
328 // modulate antenna
329 HIGH(GPIO_SSC_DOUT);
330
331 // Charge TI tag for 50ms.
332 SpinDelay(50);
333
334 // stop modulating antenna and listen
335 LOW(GPIO_SSC_DOUT);
336
337 LED_D_OFF();
338
339 i = 0;
340 for(;;) {
341 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
342 BigBuf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
343 i++; if(i >= TIBUFLEN) break;
344 }
345 WDT_HIT();
346 }
347
348 // return stolen pin to SSP
349 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
350 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
351
352 char *dest = (char *)BigBuf_get_addr();
353 n = TIBUFLEN*32;
354 // unpack buffer
355 for (i=TIBUFLEN-1; i>=0; i--) {
356 for (j=0; j<32; j++) {
357 if(BigBuf[i] & (1 << j)) {
358 dest[--n] = 1;
359 } else {
360 dest[--n] = -1;
361 }
362 }
363 }
364 }
365
366 // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
367 // if crc provided, it will be written with the data verbatim (even if bogus)
368 // if not provided a valid crc will be computed from the data and written.
369 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
370 {
371 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
372 if(crc == 0) {
373 crc = update_crc16(crc, (idlo)&0xff);
374 crc = update_crc16(crc, (idlo>>8)&0xff);
375 crc = update_crc16(crc, (idlo>>16)&0xff);
376 crc = update_crc16(crc, (idlo>>24)&0xff);
377 crc = update_crc16(crc, (idhi)&0xff);
378 crc = update_crc16(crc, (idhi>>8)&0xff);
379 crc = update_crc16(crc, (idhi>>16)&0xff);
380 crc = update_crc16(crc, (idhi>>24)&0xff);
381 }
382 Dbprintf("Writing to tag: %x%08x, crc=%x",
383 (unsigned int) idhi, (unsigned int) idlo, crc);
384
385 // TI tags charge at 134.2Khz
386 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
387 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
388 // connects to SSP_DIN and the SSP_DOUT logic level controls
389 // whether we're modulating the antenna (high)
390 // or listening to the antenna (low)
391 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
392 LED_A_ON();
393
394 // steal this pin from the SSP and use it to control the modulation
395 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
396 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
397
398 // writing algorithm:
399 // a high bit consists of a field off for 1ms and field on for 1ms
400 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
401 // initiate a charge time of 50ms (field on) then immediately start writing bits
402 // start by writing 0xBB (keyword) and 0xEB (password)
403 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
404 // finally end with 0x0300 (write frame)
405 // all data is sent lsb firts
406 // finish with 15ms programming time
407
408 // modulate antenna
409 HIGH(GPIO_SSC_DOUT);
410 SpinDelay(50); // charge time
411
412 WriteTIbyte(0xbb); // keyword
413 WriteTIbyte(0xeb); // password
414 WriteTIbyte( (idlo )&0xff );
415 WriteTIbyte( (idlo>>8 )&0xff );
416 WriteTIbyte( (idlo>>16)&0xff );
417 WriteTIbyte( (idlo>>24)&0xff );
418 WriteTIbyte( (idhi )&0xff );
419 WriteTIbyte( (idhi>>8 )&0xff );
420 WriteTIbyte( (idhi>>16)&0xff );
421 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
422 WriteTIbyte( (crc )&0xff ); // crc lo
423 WriteTIbyte( (crc>>8 )&0xff ); // crc hi
424 WriteTIbyte(0x00); // write frame lo
425 WriteTIbyte(0x03); // write frame hi
426 HIGH(GPIO_SSC_DOUT);
427 SpinDelay(50); // programming time
428
429 LED_A_OFF();
430
431 // get TI tag data into the buffer
432 AcquireTiType();
433
434 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
435 DbpString("Now use `lf ti read` to check");
436 }
437
438 void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
439 {
440 int i;
441 uint8_t *tab = BigBuf_get_addr();
442
443 //note FpgaDownloadAndGo destroys the bigbuf so be sure this is called before now...
444 //FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
445 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
446
447 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
448
449 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
450 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
451
452 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
453 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
454
455 i = 0;
456 for(;;) {
457 //wait until SSC_CLK goes HIGH
458 int ii = 0;
459 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
460 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
461 if ( ii == 1000 ) {
462 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
463 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
464 DbpString("Stopped");
465 return;
466 }
467 ii=0;
468 }
469 WDT_HIT();
470 ii++;
471 }
472 if (ledcontrol)
473 LED_D_ON();
474
475 if(tab[i])
476 OPEN_COIL();
477 else
478 SHORT_COIL();
479
480 if (ledcontrol)
481 LED_D_OFF();
482 ii=0;
483 //wait until SSC_CLK goes LOW
484 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
485 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
486 if ( ii == 1000 ) {
487 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
488 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
489 DbpString("Stopped");
490 return;
491 }
492 ii=0;
493 }
494 WDT_HIT();
495 ii++;
496 }
497
498 i++;
499 if(i == period) {
500
501 i = 0;
502 if (gap) {
503 SHORT_COIL();
504 SpinDelayUs(gap);
505 }
506 }
507
508 }
509 }
510
511 #define DEBUG_FRAME_CONTENTS 1
512 void SimulateTagLowFrequencyBidir(int divisor, int t0)
513 {
514 }
515
516 // compose fc/8 fc/10 waveform (FSK2)
517 static void fc(int c, int *n)
518 {
519 uint8_t *dest = BigBuf_get_addr();
520 int idx;
521
522 // for when we want an fc8 pattern every 4 logical bits
523 if(c==0) {
524 dest[((*n)++)]=1;
525 dest[((*n)++)]=1;
526 dest[((*n)++)]=1;
527 dest[((*n)++)]=1;
528 dest[((*n)++)]=0;
529 dest[((*n)++)]=0;
530 dest[((*n)++)]=0;
531 dest[((*n)++)]=0;
532 }
533
534 // an fc/8 encoded bit is a bit pattern of 11110000 x6 = 48 samples
535 if(c==8) {
536 for (idx=0; idx<6; idx++) {
537 dest[((*n)++)]=1;
538 dest[((*n)++)]=1;
539 dest[((*n)++)]=1;
540 dest[((*n)++)]=1;
541 dest[((*n)++)]=0;
542 dest[((*n)++)]=0;
543 dest[((*n)++)]=0;
544 dest[((*n)++)]=0;
545 }
546 }
547
548 // an fc/10 encoded bit is a bit pattern of 1111100000 x5 = 50 samples
549 if(c==10) {
550 for (idx=0; idx<5; idx++) {
551 dest[((*n)++)]=1;
552 dest[((*n)++)]=1;
553 dest[((*n)++)]=1;
554 dest[((*n)++)]=1;
555 dest[((*n)++)]=1;
556 dest[((*n)++)]=0;
557 dest[((*n)++)]=0;
558 dest[((*n)++)]=0;
559 dest[((*n)++)]=0;
560 dest[((*n)++)]=0;
561 }
562 }
563 }
564 // compose fc/X fc/Y waveform (FSKx)
565 static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt)
566 {
567 uint8_t *dest = BigBuf_get_addr();
568 uint8_t halfFC = fc/2;
569 uint8_t wavesPerClock = clock/fc;
570 uint8_t mod = clock % fc; //modifier
571 uint8_t modAdj = fc/mod; //how often to apply modifier
572 bool modAdjOk = !(fc % mod); //if (fc % mod==0) modAdjOk=true;
573 // loop through clock - step field clock
574 for (uint8_t idx=0; idx < wavesPerClock; idx++){
575 // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave)
576 memset(dest+(*n), 0, fc-halfFC); //in case of odd number use extra here
577 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
578 *n += fc;
579 }
580 if (mod>0) (*modCnt)++;
581 if ((mod>0) && modAdjOk){ //fsk2
582 if ((*modCnt % modAdj) == 0){ //if 4th 8 length wave in a rf/50 add extra 8 length wave
583 memset(dest+(*n), 0, fc-halfFC);
584 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
585 *n += fc;
586 }
587 }
588 if (mod>0 && !modAdjOk){ //fsk1
589 memset(dest+(*n), 0, mod-(mod/2));
590 memset(dest+(*n)+(mod-(mod/2)), 1, mod/2);
591 *n += mod;
592 }
593 }
594
595 // prepare a waveform pattern in the buffer based on the ID given then
596 // simulate a HID tag until the button is pressed
597 void CmdHIDsimTAG(int hi2, int hi, int lo, int ledcontrol)
598 {
599 int n=0, i=0;
600 /*
601 HID tag bitstream format
602 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
603 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
604 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
605 A fc8 is inserted before every 4 bits
606 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
607 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
608 */
609
610 if (hi2>0x0FFFFFFF) {
611 DbpString("Tags can only have 44 or 84 bits. - USE lf simfsk for larger tags");
612 return;
613 }
614 // set LF so we don't kill the bigbuf we are setting with simulation data.
615 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
616
617 fc(0,&n);
618 // special start of frame marker containing invalid bit sequences
619 fc(8, &n); fc(8, &n); // invalid
620 fc(8, &n); fc(10, &n); // logical 0
621 fc(10, &n); fc(10, &n); // invalid
622 fc(8, &n); fc(10, &n); // logical 0
623
624 WDT_HIT();
625 if (hi2 > 0 || hi > 0xFFF){
626 // manchester encode bits 91 to 64 (91-84 are part of the header)
627 for (i=27; i>=0; i--) {
628 if ((i%4)==3) fc(0,&n);
629 if ((hi2>>i)&1) {
630 fc(10, &n); fc(8, &n); // low-high transition
631 } else {
632 fc(8, &n); fc(10, &n); // high-low transition
633 }
634 }
635 WDT_HIT();
636 // manchester encode bits 63 to 32
637 for (i=31; i>=0; i--) {
638 if ((i%4)==3) fc(0,&n);
639 if ((hi>>i)&1) {
640 fc(10, &n); fc(8, &n); // low-high transition
641 } else {
642 fc(8, &n); fc(10, &n); // high-low transition
643 }
644 }
645 } else {
646 // manchester encode bits 43 to 32
647 for (i=11; i>=0; i--) {
648 if ((i%4)==3) fc(0,&n);
649 if ((hi>>i)&1) {
650 fc(10, &n); fc(8, &n); // low-high transition
651 } else {
652 fc(8, &n); fc(10, &n); // high-low transition
653 }
654 }
655 }
656
657 WDT_HIT();
658 // manchester encode bits 31 to 0
659 for (i=31; i>=0; i--) {
660 if ((i%4)==3) fc(0,&n);
661 if ((lo>>i)&1) {
662 fc(10, &n); fc(8, &n); // low-high transition
663 } else {
664 fc(8, &n); fc(10, &n); // high-low transition
665 }
666 }
667
668 if (ledcontrol)
669 LED_A_ON();
670 SimulateTagLowFrequency(n, 0, ledcontrol);
671
672 if (ledcontrol)
673 LED_A_OFF();
674 }
675
676 // prepare a waveform pattern in the buffer based on the ID given then
677 // simulate a FSK tag until the button is pressed
678 // arg1 contains fcHigh and fcLow, arg2 contains invert and clock
679 void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
680 {
681 int ledcontrol=1;
682 int n=0, i=0;
683 uint8_t fcHigh = arg1 >> 8;
684 uint8_t fcLow = arg1 & 0xFF;
685 uint16_t modCnt = 0;
686 uint8_t clk = arg2 & 0xFF;
687 uint8_t invert = (arg2 >> 8) & 1;
688
689 // set LF so we don't kill the bigbuf we are setting with simulation data.
690 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
691
692 for (i=0; i<size; i++){
693 if (BitStream[i] == invert){
694 fcAll(fcLow, &n, clk, &modCnt);
695 } else {
696 fcAll(fcHigh, &n, clk, &modCnt);
697 }
698 }
699 Dbprintf("Simulating with fcHigh: %d, fcLow: %d, clk: %d, invert: %d, n: %d",fcHigh, fcLow, clk, invert, n);
700 /*Dbprintf("DEBUG: First 32:");
701 uint8_t *dest = BigBuf_get_addr();
702 i=0;
703 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
704 i+=16;
705 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
706 */
707 if (ledcontrol)
708 LED_A_ON();
709
710 SimulateTagLowFrequency(n, 0, ledcontrol);
711
712 if (ledcontrol)
713 LED_A_OFF();
714 }
715
716 // compose ask waveform for one bit(ASK)
717 static void askSimBit(uint8_t c, int *n, uint8_t clock, uint8_t manchester)
718 {
719 uint8_t *dest = BigBuf_get_addr();
720 uint8_t halfClk = clock/2;
721 // c = current bit 1 or 0
722 if (manchester==1){
723 memset(dest+(*n), c, halfClk);
724 memset(dest+(*n) + halfClk, c^1, halfClk);
725 } else {
726 memset(dest+(*n), c, clock);
727 }
728 *n += clock;
729 }
730
731 static void biphaseSimBit(uint8_t c, int *n, uint8_t clock, uint8_t *phase)
732 {
733 uint8_t *dest = BigBuf_get_addr();
734 uint8_t halfClk = clock/2;
735 if (c){
736 memset(dest+(*n), c ^ 1 ^ *phase, halfClk);
737 memset(dest+(*n) + halfClk, c ^ *phase, halfClk);
738 } else {
739 memset(dest+(*n), c ^ *phase, clock);
740 *phase ^= 1;
741 }
742 *n += clock;
743 }
744
745 static void stAskSimBit(int *n, uint8_t clock) {
746 uint8_t *dest = BigBuf_get_addr();
747 uint8_t halfClk = clock/2;
748 //ST = .5 high .5 low 1.5 high .5 low 1 high
749 memset(dest+(*n), 1, halfClk);
750 memset(dest+(*n) + halfClk, 0, halfClk);
751 memset(dest+(*n) + clock, 1, clock + halfClk);
752 memset(dest+(*n) + clock*2 + halfClk, 0, halfClk);
753 memset(dest+(*n) + clock*3, 1, clock);
754 *n += clock*4;
755 }
756
757 // args clock, ask/man or askraw, invert, transmission separator
758 void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
759 {
760 int ledcontrol = 1;
761 int n=0, i=0;
762 uint8_t clk = (arg1 >> 8) & 0xFF;
763 uint8_t encoding = arg1 & 0xFF;
764 uint8_t separator = arg2 & 1;
765 uint8_t invert = (arg2 >> 8) & 1;
766
767 // set LF so we don't kill the bigbuf we are setting with simulation data.
768 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
769
770 if (encoding==2){ //biphase
771 uint8_t phase=0;
772 for (i=0; i<size; i++){
773 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
774 }
775 if (phase==1) { //run a second set inverted to keep phase in check
776 for (i=0; i<size; i++){
777 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
778 }
779 }
780 } else { // ask/manchester || ask/raw
781 for (i=0; i<size; i++){
782 askSimBit(BitStream[i]^invert, &n, clk, encoding);
783 }
784 if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
785 for (i=0; i<size; i++){
786 askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
787 }
788 }
789 }
790 if (separator==1 && encoding == 1)
791 stAskSimBit(&n, clk);
792 else if (separator==1)
793 Dbprintf("sorry but separator option not yet available");
794
795 Dbprintf("Simulating with clk: %d, invert: %d, encoding: %d, separator: %d, n: %d",clk, invert, encoding, separator, n);
796 //DEBUG
797 //Dbprintf("First 32:");
798 //uint8_t *dest = BigBuf_get_addr();
799 //i=0;
800 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
801 //i+=16;
802 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
803
804 if (ledcontrol) LED_A_ON();
805 SimulateTagLowFrequency(n, 0, ledcontrol);
806 if (ledcontrol) LED_A_OFF();
807 }
808
809 //carrier can be 2,4 or 8
810 static void pskSimBit(uint8_t waveLen, int *n, uint8_t clk, uint8_t *curPhase, bool phaseChg)
811 {
812 uint8_t *dest = BigBuf_get_addr();
813 uint8_t halfWave = waveLen/2;
814 //uint8_t idx;
815 int i = 0;
816 if (phaseChg){
817 // write phase change
818 memset(dest+(*n), *curPhase^1, halfWave);
819 memset(dest+(*n) + halfWave, *curPhase, halfWave);
820 *n += waveLen;
821 *curPhase ^= 1;
822 i += waveLen;
823 }
824 //write each normal clock wave for the clock duration
825 for (; i < clk; i+=waveLen){
826 memset(dest+(*n), *curPhase, halfWave);
827 memset(dest+(*n) + halfWave, *curPhase^1, halfWave);
828 *n += waveLen;
829 }
830 }
831
832 // args clock, carrier, invert,
833 void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
834 {
835 int ledcontrol=1;
836 int n=0, i=0;
837 uint8_t clk = arg1 >> 8;
838 uint8_t carrier = arg1 & 0xFF;
839 uint8_t invert = arg2 & 0xFF;
840 uint8_t curPhase = 0;
841 // set LF so we don't kill the bigbuf we are setting with simulation data.
842 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
843
844 for (i=0; i<size; i++){
845 if (BitStream[i] == curPhase){
846 pskSimBit(carrier, &n, clk, &curPhase, false);
847 } else {
848 pskSimBit(carrier, &n, clk, &curPhase, true);
849 }
850 }
851 Dbprintf("Simulating with Carrier: %d, clk: %d, invert: %d, n: %d",carrier, clk, invert, n);
852 //Dbprintf("DEBUG: First 32:");
853 //uint8_t *dest = BigBuf_get_addr();
854 //i=0;
855 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
856 //i+=16;
857 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
858
859 if (ledcontrol) LED_A_ON();
860 SimulateTagLowFrequency(n, 0, ledcontrol);
861 if (ledcontrol) LED_A_OFF();
862 }
863
864 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
865 void CmdHIDdemodFSK(int findone, int *high2, int *high, int *low, int ledcontrol)
866 {
867 uint8_t *dest = BigBuf_get_addr();
868 //const size_t sizeOfBigBuff = BigBuf_max_traceLen();
869 size_t size;
870 uint32_t hi2=0, hi=0, lo=0;
871 int idx=0;
872 int dummyIdx = 0;
873 // Configure to go in 125Khz listen mode
874 LFSetupFPGAForADC(95, true);
875
876 //clear read buffer
877 BigBuf_Clear_keep_EM();
878
879 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
880 WDT_HIT();
881 if (ledcontrol) LED_A_ON();
882
883 DoAcquisition_default(-1,true);
884 // FSK demodulator
885 //size = sizeOfBigBuff; //variable size will change after demod so re initialize it before use
886 size = 50*128*2; //big enough to catch 2 sequences of largest format
887 idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo, &dummyIdx);
888
889 if (idx>0 && lo>0 && (size==96 || size==192)){
890 uint8_t bitlen = 0;
891 uint32_t fc = 0;
892 uint32_t cardnum = 0;
893 bool decoded = false;
894
895 // go over previously decoded manchester data and decode into usable tag ID
896 if ((hi2 & 0x000FFFF) != 0){ //extra large HID tags 88/192 bits
897 uint32_t bp = hi2 & 0x000FFFFF;
898 bitlen = 63;
899 while (bp > 0) {
900 bp = bp >> 1;
901 bitlen++;
902 }
903 } else if ((hi >> 6) > 0) {
904 uint32_t bp = hi;
905 bitlen = 31;
906 while (bp > 0) {
907 bp = bp >> 1;
908 bitlen++;
909 }
910 } else if (((hi >> 5) & 1) == 0) {
911 bitlen = 37;
912 } else if ((hi & 0x0000001F) > 0 ) {
913 uint32_t bp = (hi & 0x0000001F);
914 bitlen = 31;
915 while (bp > 0) {
916 bp = bp >> 1;
917 bitlen++;
918 }
919 } else {
920 uint32_t bp = lo;
921 bitlen = 0;
922 while (bp > 0) {
923 bp = bp >> 1;
924 bitlen++;
925 }
926 }
927 switch (bitlen){
928 case 26:
929 cardnum = (lo>>1)&0xFFFF;
930 fc = (lo>>17)&0xFF;
931 decoded = true;
932 break;
933 case 35:
934 cardnum = (lo>>1)&0xFFFFF;
935 fc = ((hi&1)<<11)|(lo>>21);
936 decoded = true;
937 break;
938 }
939
940 if (hi2 != 0) //extra large HID tags 88/192 bits
941 Dbprintf("TAG ID: %x%08x%08x (%d)",
942 (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
943 else
944 Dbprintf("TAG ID: %x%08x (%d)",
945 (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
946
947 if (decoded)
948 Dbprintf("Format Len: %dbits - FC: %d - Card: %d",
949 (unsigned int) bitlen, (unsigned int) fc, (unsigned int) cardnum);
950
951 if (findone){
952 if (ledcontrol) LED_A_OFF();
953 *high2 = hi2;
954 *high = hi;
955 *low = lo;
956 break;
957 }
958 // reset
959 }
960 hi2 = hi = lo = idx = 0;
961 WDT_HIT();
962 }
963
964 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
965 DbpString("Stopped");
966 if (ledcontrol) LED_A_OFF();
967 }
968
969 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
970 void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
971 {
972 uint8_t *dest = BigBuf_get_addr();
973 size_t size;
974 int idx=0, dummyIdx=0;
975 //clear read buffer
976 BigBuf_Clear_keep_EM();
977 // Configure to go in 125Khz listen mode
978 LFSetupFPGAForADC(95, true);
979
980 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
981
982 WDT_HIT();
983 if (ledcontrol) LED_A_ON();
984
985 DoAcquisition_default(-1,true);
986 // FSK demodulator
987 size = 50*128*2; //big enough to catch 2 sequences of largest format
988 idx = AWIDdemodFSK(dest, &size, &dummyIdx);
989
990 if (idx<=0 || size!=96) continue;
991 // Index map
992 // 0 10 20 30 40 50 60
993 // | | | | | | |
994 // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96
995 // -----------------------------------------------------------------------------
996 // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1
997 // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96
998 // |---26 bit---| |-----117----||-------------142-------------|
999 // b = format bit len, o = odd parity of last 3 bits
1000 // f = facility code, c = card number
1001 // w = wiegand parity
1002 // (26 bit format shown)
1003
1004 //get raw ID before removing parities
1005 uint32_t rawLo = bytebits_to_byte(dest+idx+64,32);
1006 uint32_t rawHi = bytebits_to_byte(dest+idx+32,32);
1007 uint32_t rawHi2 = bytebits_to_byte(dest+idx,32);
1008
1009 size = removeParity(dest, idx+8, 4, 1, 88);
1010 if (size != 66) continue;
1011 // ok valid card found!
1012
1013 // Index map
1014 // 0 10 20 30 40 50 60
1015 // | | | | | | |
1016 // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456
1017 // -----------------------------------------------------------------------------
1018 // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000
1019 // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1020 // |26 bit| |-117--| |-----142------|
1021 // b = format bit len, o = odd parity of last 3 bits
1022 // f = facility code, c = card number
1023 // w = wiegand parity
1024 // (26 bit format shown)
1025
1026 uint32_t fc = 0;
1027 uint32_t cardnum = 0;
1028 uint32_t code1 = 0;
1029 uint32_t code2 = 0;
1030 uint8_t fmtLen = bytebits_to_byte(dest,8);
1031 if (fmtLen==26){
1032 fc = bytebits_to_byte(dest+9, 8);
1033 cardnum = bytebits_to_byte(dest+17, 16);
1034 code1 = bytebits_to_byte(dest+8,fmtLen);
1035 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %d - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, rawHi2, rawHi, rawLo);
1036 } else {
1037 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
1038 if (fmtLen>32){
1039 code1 = bytebits_to_byte(dest+8,fmtLen-32);
1040 code2 = bytebits_to_byte(dest+8+(fmtLen-32),32);
1041 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo);
1042 } else{
1043 code1 = bytebits_to_byte(dest+8,fmtLen);
1044 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo);
1045 }
1046 }
1047 if (findone){
1048 if (ledcontrol) LED_A_OFF();
1049 break;
1050 }
1051 // reset
1052 idx = 0;
1053 WDT_HIT();
1054 }
1055 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1056 DbpString("Stopped");
1057 if (ledcontrol) LED_A_OFF();
1058 }
1059
1060 void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
1061 {
1062 uint8_t *dest = BigBuf_get_addr();
1063
1064 size_t size=0, idx=0;
1065 int clk=0, invert=0, errCnt=0, maxErr=20;
1066 uint32_t hi=0;
1067 uint64_t lo=0;
1068 //clear read buffer
1069 BigBuf_Clear_keep_EM();
1070 // Configure to go in 125Khz listen mode
1071 LFSetupFPGAForADC(95, true);
1072
1073 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1074
1075 WDT_HIT();
1076 if (ledcontrol) LED_A_ON();
1077
1078 DoAcquisition_default(-1,true);
1079 size = BigBuf_max_traceLen();
1080 //askdemod and manchester decode
1081 if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format
1082 errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
1083 WDT_HIT();
1084
1085 if (errCnt<0) continue;
1086
1087 errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo);
1088 if (errCnt){
1089 if (size>64){
1090 Dbprintf("EM XL TAG ID: %06x%08x%08x - (%05d_%03d_%08d)",
1091 hi,
1092 (uint32_t)(lo>>32),
1093 (uint32_t)lo,
1094 (uint32_t)(lo&0xFFFF),
1095 (uint32_t)((lo>>16LL) & 0xFF),
1096 (uint32_t)(lo & 0xFFFFFF));
1097 } else {
1098 Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)",
1099 (uint32_t)(lo>>32),
1100 (uint32_t)lo,
1101 (uint32_t)(lo&0xFFFF),
1102 (uint32_t)((lo>>16LL) & 0xFF),
1103 (uint32_t)(lo & 0xFFFFFF));
1104 }
1105
1106 if (findone){
1107 if (ledcontrol) LED_A_OFF();
1108 *high=lo>>32;
1109 *low=lo & 0xFFFFFFFF;
1110 break;
1111 }
1112 }
1113 WDT_HIT();
1114 hi = lo = size = idx = 0;
1115 clk = invert = errCnt = 0;
1116 }
1117 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1118 DbpString("Stopped");
1119 if (ledcontrol) LED_A_OFF();
1120 }
1121
1122 void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
1123 {
1124 uint8_t *dest = BigBuf_get_addr();
1125 int idx=0;
1126 uint32_t code=0, code2=0;
1127 uint8_t version=0;
1128 uint8_t facilitycode=0;
1129 uint16_t number=0;
1130 int dummyIdx=0;
1131 //clear read buffer
1132 BigBuf_Clear_keep_EM();
1133 // Configure to go in 125Khz listen mode
1134 LFSetupFPGAForADC(95, true);
1135
1136 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1137 WDT_HIT();
1138 if (ledcontrol) LED_A_ON();
1139 DoAcquisition_default(-1,true);
1140 //fskdemod and get start index
1141 WDT_HIT();
1142 idx = IOdemodFSK(dest, BigBuf_max_traceLen(), &dummyIdx);
1143 if (idx<0) continue;
1144 //valid tag found
1145
1146 //Index map
1147 //0 10 20 30 40 50 60
1148 //| | | | | | |
1149 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
1150 //-----------------------------------------------------------------------------
1151 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 ???????? 11
1152 //
1153 //XSF(version)facility:codeone+codetwo
1154 //Handle the data
1155 if(findone){ //only print binary if we are doing one
1156 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
1157 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
1158 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
1159 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
1160 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
1161 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
1162 Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
1163 }
1164 code = bytebits_to_byte(dest+idx,32);
1165 code2 = bytebits_to_byte(dest+idx+32,32);
1166 version = bytebits_to_byte(dest+idx+27,8); //14,4
1167 facilitycode = bytebits_to_byte(dest+idx+18,8);
1168 number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9
1169
1170 Dbprintf("XSF(%02d)%02x:%05d (%08x%08x)",version,facilitycode,number,code,code2);
1171 // if we're only looking for one tag
1172 if (findone){
1173 if (ledcontrol) LED_A_OFF();
1174 //LED_A_OFF();
1175 *high=code;
1176 *low=code2;
1177 break;
1178 }
1179 code=code2=0;
1180 version=facilitycode=0;
1181 number=0;
1182 idx=0;
1183
1184 WDT_HIT();
1185 }
1186 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1187 DbpString("Stopped");
1188 if (ledcontrol) LED_A_OFF();
1189 }
1190
1191 /*------------------------------
1192 * T5555/T5557/T5567/T5577 routines
1193 *------------------------------
1194 * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
1195 *
1196 * Relevant communication times in microsecond
1197 * To compensate antenna falling times shorten the write times
1198 * and enlarge the gap ones.
1199 * Q5 tags seems to have issues when these values changes.
1200 */
1201
1202 /*
1203 // Original Timings for reference
1204 //note startgap must be sent after tag has been powered up for more than 3ms (per T5557 ds)
1205
1206 #define START_GAP 31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
1207 #define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
1208 #define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
1209 #define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550
1210 #define READ_GAP 15*8
1211
1212 */
1213 /* Q5 timing datasheet:
1214 * Type | MIN | Typical | Max |
1215 * Start_Gap | 10*8 | ? | 50*8 |
1216 * Write_Gap Normal mode | 8*8 | 14*8 | 20*8 |
1217 * Write_Gap Fast Mode | 8*8 | ? | 20*8 |
1218 * Write_0 Normal mode | 16*8 | 24*8 | 32*8 |
1219 * Write_1 Normal mode | 48*8 | 56*8 | 64*8 |
1220 * Write_0 Fast Mode | 8*8 | 12*8 | 16*8 |
1221 * Write_1 Fast Mode | 24*8 | 28*8 | 32*8 |
1222 */
1223
1224 /* T5557 timing datasheet:
1225 * Type | MIN | Typical | Max |
1226 * Start_Gap | 10*8 | ? | 50*8 |
1227 * Write_Gap Normal mode | 8*8 |50-150us | 30*8 |
1228 * Write_Gap Fast Mode | 8*8 | ? | 20*8 |
1229 * Write_0 Normal mode | 16*8 | 24*8 | 31*8 |
1230 * Write_1 Normal mode | 48*8 | 54*8 | 63*8 |
1231 * Write_0 Fast Mode | 8*8 | 12*8 | 15*8 |
1232 * Write_1 Fast Mode | 24*8 | 28*8 | 31*8 |
1233 */
1234
1235 /* T5577C timing datasheet for Fixed-Bit-Length protocol (defualt):
1236 * Type | MIN | Typical | Max |
1237 * Start_Gap | 8*8 | 15*8 | 50*8 |
1238 * Write_Gap Normal mode | 8*8 | 10*8 | 20*8 |
1239 * Write_Gap Fast Mode | 8*8 | 10*8 | 20*8 |
1240 * Write_0 Normal mode | 16*8 | 24*8 | 32*8 |
1241 * Write_1 Normal mode | 48*8 | 56*8 | 64*8 |
1242 * Write_0 Fast Mode | 8*8 | 12*8 | 16*8 |
1243 * Write_1 Fast Mode | 24*8 | 28*8 | 32*8 |
1244 */
1245
1246 // Structure to hold Timing values. In future will be simplier to add user changable timings.
1247 typedef struct {
1248 uint16_t START_GAP;
1249 uint16_t WRITE_GAP;
1250 uint16_t WRITE_0;
1251 uint16_t WRITE_1;
1252 uint16_t WRITE_2;
1253 uint16_t WRITE_3;
1254 uint16_t READ_GAP;
1255 } T55xx_Timing;
1256
1257 // Set Initial/Default Values. Note: *8 can occure when used. This should keep things simplier here.
1258 T55xx_Timing T55xx_Timing_FixedBit = { 31 * 8 , 20 * 8 , 18 * 8 , 50 * 8 , 0 , 0 , 15 * 8 };
1259 T55xx_Timing T55xx_Timing_LLR = { 31 * 8 , 20 * 8 , 18 * 8 , 50 * 8 , 0 , 0 , 15 * 8 };
1260 T55xx_Timing T55xx_Timing_Leading0 = { 31 * 8 , 20 * 8 , 18 * 8 , 40 * 8 , 0 , 0 , 15 * 8 };
1261 T55xx_Timing T55xx_Timing_1of4 = { 31 * 8 , 20 * 8 , 18 * 8 , 34 * 8 , 50 * 8 , 66 * 8 , 15 * 8 };
1262
1263 // Some defines for readability
1264 #define T55xx_DLMode_Fixed 0 // Default Mode
1265 #define T55xx_DLMode_LLR 1 // Long Leading Reference
1266 #define T55xx_DLMode_Leading0 2 // Leading Zero
1267 #define T55xx_DLMode_1of4 3 // 1 of 4
1268 #define T55xx_LongLeadingReference 4 // Value to tell Write Bit to send long reference
1269 // Macro for code readability
1270 #define BitStream_Byte(X) ((X) >> 3)
1271 #define BitStream_Bit(X) ((X) & 7)
1272
1273
1274 void TurnReadLFOn(int delay) {
1275 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1276 // Give it a bit of time for the resonant antenna to settle.
1277 WaitUS(delay); //155*8 //50*8
1278 }
1279
1280 // Write one bit to card
1281 void T55xxWriteBit(int bit, T55xx_Timing *Timings) {
1282
1283 // If bit = 4 Send Long Leading Reference which is 138 + WRITE_0
1284 // Dbprintf ("Bits : %d",bit);
1285 switch (bit){
1286 case 0 : TurnReadLFOn(Timings->WRITE_0); break; // Send bit 0/00
1287 case 1 : TurnReadLFOn(Timings->WRITE_1); break; // Send bit 1/01
1288 case 2 : TurnReadLFOn(Timings->WRITE_2); break; // Send bits 10
1289 case 3 : TurnReadLFOn(Timings->WRITE_3); break; // Send bits 11
1290 case 4 : TurnReadLFOn(Timings->WRITE_0 + (136 * 8)); break; // Send Long Leading Reference
1291 }
1292 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1293 WaitUS(Timings->WRITE_GAP);
1294 }
1295
1296 // Function to abstract an Arbitrary length byte array to store bit pattern.
1297 // bit_array - Array to hold data/bit pattern
1298 // start_offset - bit location to start storing new bits.
1299 // data - upto 32 bits of data to store
1300 // num_bits - how many bits (low x bits of data) Max 32 bits at a time
1301 // max_len - how many bytes can the bit_array hold (ensure no buffer overflow)
1302 // returns "Next" bit offset / bits stored (for next store)
1303 //int T55xx_SetBits (uint8_t *bit_array, int start_offset, uint32_t data , int num_bits, int max_len)
1304 int T55xx_SetBits (uint8_t *BitStream, uint8_t start_offset, uint32_t data , uint8_t num_bits, uint8_t max_len)
1305 {
1306 int8_t offset;
1307 int8_t NextOffset = start_offset;
1308
1309 // Check if data will fit.
1310 if ((start_offset + num_bits) <= (max_len*8)) {
1311 // Loop through the data and store
1312 for (offset = (num_bits-1); offset >= 0; offset--) {
1313
1314 if ((data >> offset) & 1) BitStream[BitStream_Byte(NextOffset)] |= (1 << BitStream_Bit(NextOffset)); // Set the bit to 1
1315 else BitStream[BitStream_Byte(NextOffset)] &= (0xff ^ (1 << BitStream_Bit(NextOffset))); // Set the bit to 0
1316
1317 NextOffset++;
1318 }
1319 }
1320 else{
1321 // Note: This should never happen unless some code changes cause it.
1322 // So short message for coders when testing.
1323 Dbprintf ("T55 too many bits");
1324 }
1325 return NextOffset;
1326 }
1327
1328 // Send one downlink command to the card
1329 void T55xx_SendCMD (uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1330
1331 /*
1332 arg bits
1333 xxxxxxx1 0x01 PwdMode
1334 xxxxxx1x 0x02 Page
1335 xxxxx1xx 0x04 testMode
1336 xxx11xxx 0x18 downlink mode
1337 xx1xxxxx 0x20 !reg_readmode
1338 x1xxxxxx 0x40 called for a read, so no data packet
1339 1xxxxxxx 0x80 reset
1340
1341 */
1342 bool PwdMode = ((arg & 0x01) == 0x01);
1343 bool Page = (arg & 0x02);
1344 bool testMode = ((arg & 0x04) == 0x04);
1345 uint8_t downlink_mode = (arg >> 3) & 0x03;
1346 bool reg_readmode = ((arg & 0x20) == 0x20);
1347 bool read_cmd = ((arg & 0x40) == 0x40);
1348 bool reset = (arg & 0x80);
1349
1350 uint8_t i = 0;
1351 uint8_t BitStream[10]; // Max Downlink Command size ~74 bits, so 10 bytes (80 bits)
1352 uint8_t BitStreamLen;
1353 T55xx_Timing *Timing;
1354 uint8_t SendBits;
1355
1356 // Assigning Downlink Timeing for write
1357 switch (downlink_mode)
1358 {
1359 case T55xx_DLMode_Fixed : Timing = &T55xx_Timing_FixedBit; break;
1360 case T55xx_DLMode_LLR : Timing = &T55xx_Timing_LLR; break;
1361 case T55xx_DLMode_Leading0 : Timing = &T55xx_Timing_Leading0; break;
1362 case T55xx_DLMode_1of4 : Timing = &T55xx_Timing_1of4; break;
1363 default:
1364 Timing = &T55xx_Timing_FixedBit;
1365 }
1366
1367 // Build Bit Stream to send.
1368 memset (BitStream,0x00,sizeof(BitStream));
1369
1370 BitStreamLen = 0; // Ensure 0 bit index to start.
1371
1372 // Add Leading 0 and 1 of 4 reference bit
1373 if ((downlink_mode == T55xx_DLMode_Leading0) || (downlink_mode == T55xx_DLMode_1of4))
1374 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
1375
1376 // Add extra reference 0 for 1 of 4
1377 if (downlink_mode == T55xx_DLMode_1of4)
1378 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
1379
1380 // Add Opcode
1381 if (reset) {
1382 // Reset : r*) 00
1383 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 2,sizeof(BitStream));
1384 }
1385 else
1386 {
1387 if (testMode) Dbprintf("TestMODE");
1388 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen,testMode ? 0 : 1 , 1,sizeof(BitStream));
1389 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen,testMode ? 1 : Page , 1,sizeof(BitStream));
1390
1391 if (PwdMode) {
1392 // Leading 0 and 1 of 4 00 fixed bits if passsword used
1393 if ((downlink_mode == T55xx_DLMode_Leading0) || (downlink_mode == T55xx_DLMode_1of4)) {
1394 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 2,sizeof(BitStream));
1395 }
1396 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Pwd, 32,sizeof(BitStream));
1397 }
1398
1399 // Add Lock bit 0
1400 if (!reg_readmode) BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
1401
1402 // Add Data if a write command
1403 if (!read_cmd) BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Data, 32,sizeof(BitStream));
1404
1405 // Add Address
1406 if (!reg_readmode) BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Block, 3,sizeof(BitStream));
1407 }
1408
1409 // Send Bits to T55xx
1410 // Set up FPGA, 125kHz
1411 LFSetupFPGAForADC(95, true);
1412 StartTicks();
1413 // make sure tag is fully powered up...
1414 WaitMS(5);
1415 // Trigger T55x7 in mode.
1416 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1417 WaitUS(Timing->START_GAP);
1418
1419 // If long leading 0 send long reference pulse
1420 if (downlink_mode == T55xx_DLMode_LLR)
1421 T55xxWriteBit (T55xx_LongLeadingReference,Timing); // Send Long Leading Start Reference
1422
1423 if (downlink_mode == T55xx_DLMode_1of4) { // 1 of 4 need to send 2 bits at a time
1424 for ( i = 0; i < BitStreamLen-1; i+=2 ) {
1425 SendBits = (BitStream[BitStream_Byte(i )] >> (BitStream_Bit(i )) & 1) << 1; // Bit i
1426 SendBits += (BitStream[BitStream_Byte(i+1)] >> (BitStream_Bit(i+1)) & 1); // Bit i+1;
1427 T55xxWriteBit (SendBits & 3,Timing);
1428 }
1429 }
1430 else {
1431 for (i = 0; i < BitStreamLen; i++) {
1432 SendBits = (BitStream[BitStream_Byte(i)] >> BitStream_Bit(i));
1433 T55xxWriteBit (SendBits & 1,Timing);
1434 }
1435 }
1436 }
1437
1438 // Send T5577 reset command then read stream (see if we can identify the start of the stream)
1439 void T55xxResetRead(void) {
1440 LED_A_ON();
1441
1442 // send r* 00
1443 uint8_t arg = 0x80; // SendCMD will add correct reference mode based on flags (when added).
1444
1445 // Add in downlink_mode when ready
1446 // arg |= 0x00; // dlmode << 3 (00 default - 08 leading 0 - 10 Fixed - 18 1 of 4 )
1447
1448 //clear buffer now so it does not interfere with timing later
1449 BigBuf_Clear_keep_EM();
1450
1451 T55xx_SendCMD (0, 0, 0, arg); //, true);
1452
1453 TurnReadLFOn(T55xx_Timing_FixedBit.READ_GAP);
1454
1455 // Acquisition
1456 DoPartialAcquisition(0, true, BigBuf_max_traceLen(), 0);
1457
1458 // Turn the field off
1459 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1460 cmd_send(CMD_ACK,0,0,0,0,0);
1461 LED_A_OFF();
1462 }
1463
1464 // Write one card block in page 0, no lock
1465 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1466 /*
1467 arg bits
1468 xxxxxxx1 0x01 PwdMode
1469 xxxxxx1x 0x02 Page
1470 xxxxx1xx 0x04 testMode
1471 xxx11xxx 0x18 downlink mode
1472 xx1xxxxx 0x20 !reg_readmode
1473 x1xxxxxx 0x40 called for a read, so no data packet
1474 1xxxxxxx 0x80 reset
1475 */
1476
1477 bool testMode = ((arg & 0x04) == 0x04);
1478 arg &= (0xff ^ 0x40); // Called for a write, so ensure it is clear/0
1479
1480 LED_A_ON ();
1481 T55xx_SendCMD (Data, Block, Pwd, arg) ;//, false);
1482
1483 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1484 // so wait a little more)
1485
1486 // "there is a clock delay before programming"
1487 // - programming takes ~5.6ms for t5577 ~18ms for E5550 or t5567
1488 // so we should wait 1 clock + 5.6ms then read response?
1489 // but we need to know we are dealing with t5577 vs t5567 vs e5550 (or q5) marshmellow...
1490 if (testMode) {
1491 //TESTMODE TIMING TESTS:
1492 // <566us does nothing
1493 // 566-568 switches between wiping to 0s and doing nothing
1494 // 5184 wipes and allows 1 block to be programmed.
1495 // indefinite power on wipes and then programs all blocks with bitshifted data sent.
1496 TurnReadLFOn(5184);
1497
1498 } else {
1499 TurnReadLFOn(20 * 1000);
1500 //could attempt to do a read to confirm write took
1501 // as the tag should repeat back the new block
1502 // until it is reset, but to confirm it we would
1503 // need to know the current block 0 config mode for
1504 // modulation clock an other details to demod the response...
1505 // response should be (for t55x7) a 0 bit then (ST if on)
1506 // block data written in on repeat until reset.
1507
1508 //DoPartialAcquisition(20, true, 12000);
1509 }
1510 // turn field off
1511 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1512
1513 cmd_send(CMD_ACK,0,0,0,0,0);
1514
1515 LED_A_OFF ();
1516 }
1517
1518 // Read one card block in page [page]
1519 void T55xxReadBlock (uint16_t arg0, uint8_t Block, uint32_t Pwd) {//, struct T55xx_Timing *Timing) {
1520
1521 LED_A_ON();
1522
1523 /*
1524 arg bits
1525 xxxxxxx1 0x01 PwdMode
1526 xxxxxx1x 0x02 Page
1527 xxxxx1xx 0x04 testMode
1528 xxx11xxx 0x18 downlink mode
1529 xx1xxxxx 0x20 !reg_readmode
1530 x1xxxxxx 0x40 called for a read, so no data packet
1531 1xxxxxxx 0x80 reset
1532 */
1533
1534 // Set Read Flag to ensure SendCMD does not add "data" to the packet
1535 arg0 |= 0x40;
1536
1537 // RegRead Mode true of block 0xff
1538 if (Block == 0xff) arg0 |= 0x20;
1539
1540 //make sure block is at max 7
1541 Block &= 0x7;
1542
1543 //clear buffer now so it does not interfere with timing later
1544 BigBuf_Clear_ext(false);
1545
1546 T55xx_SendCMD (0, Block, Pwd, arg0); //, true);
1547
1548 // Turn field on to read the response
1549 // 137*8 seems to get to the start of data pretty well...
1550 // but we want to go past the start and let the repeating data settle in...
1551 TurnReadLFOn(210*8);
1552
1553 // Acquisition
1554 // Now do the acquisition
1555 DoPartialAcquisition(0, true, 12000, 0);
1556
1557 // Turn the field off
1558 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1559 cmd_send(CMD_ACK,0,0,0,0,0);
1560
1561 LED_A_OFF();
1562 }
1563
1564 void T55xxWakeUp(uint32_t Pwd){
1565 LED_B_ON();
1566 /*
1567 arg bits
1568 xxxxxxx1 0x01 PwdMode
1569 xxxxxx1x 0x02 Page
1570 xxxxx1xx 0x04 testMode
1571 xxx11xxx 0x18 downlink mode
1572 xx1xxxxx 0x20 !reg_readmode
1573 x1xxxxxx 0x40 called for a read, so no data packet
1574 1xxxxxxx 0x80 reset
1575 */
1576
1577 // r* 10 (00) <pwd> r* for llr , L0 and 1/4 - (00) for L0 and 1/4 - All handled in SendCMD
1578 // So, default Opcode 10 and pwd.
1579 uint8_t arg = 0x01 | 0x40 | 0x20; //Password Read Call no data | reg_read no block
1580
1581 // Add in downlink_mode when ready
1582 // arg |= 0x00; // dlmode << 3 (00 default - 08 leading 0 - 10 Fixed - 18 1 of 4 )
1583
1584 T55xx_SendCMD (0, 0, Pwd, arg); //, true);
1585
1586 // Turn and leave field on to let the begin repeating transmission
1587 TurnReadLFOn(20*1000);
1588 }
1589
1590 /*-------------- Cloning routines -----------*/
1591
1592 void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
1593 // write last block first and config block last (if included)
1594 for (uint8_t i = numblocks+startblock; i > startblock; i--) {
1595 T55xxWriteBlock(blockdata[i-1],i-1,0,0);//,false); //,&T55xx_Timing_FixedBit);
1596 // T55xx_SendCMD (blockdata[i-1],i-1,0,0);//,false); //,&T55xx_Timing_FixedBit);
1597 }
1598 }
1599
1600 // Copy a HID-like card (e.g. HID Proximity, Paradox) to a T55x7 compatible card
1601 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, uint8_t preamble) {
1602 uint32_t data[] = {0,0,0,0,0,0,0};
1603 uint8_t last_block = 0;
1604
1605 if (longFMT) {
1606 // Ensure no more than 84 bits supplied
1607 if (hi2>0xFFFFF) {
1608 DbpString("Tags can only have 84 bits.");
1609 return;
1610 }
1611 // Build the 6 data blocks for supplied 84bit ID
1612 last_block = 6;
1613 // load preamble & long format identifier (9E manchester encoded)
1614 data[1] = (preamble << 24) | 0x96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
1615 // load raw id from hi2, hi, lo to data blocks (manchester encoded)
1616 data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
1617 data[3] = manchesterEncode2Bytes(hi >> 16);
1618 data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
1619 data[5] = manchesterEncode2Bytes(lo >> 16);
1620 data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
1621 } else {
1622 // Ensure no more than 44 bits supplied
1623 if (hi>0xFFF) {
1624 DbpString("Tags can only have 44 bits.");
1625 return;
1626 }
1627 // Build the 3 data blocks for supplied 44bit ID
1628 last_block = 3;
1629 // load preamble
1630 data[1] = (preamble << 24) | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
1631 data[2] = manchesterEncode2Bytes(lo >> 16);
1632 data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
1633 }
1634 // load chip config block
1635 data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
1636
1637 //TODO add selection of chip for Q5 or T55x7
1638 // data[0] = (((50-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
1639
1640 LED_D_ON();
1641 // Program the data blocks for supplied ID
1642 // and the block 0 for HID format
1643 WriteT55xx(data, 0, last_block+1);
1644
1645 LED_D_OFF();
1646
1647 DbpString("DONE!");
1648 }
1649
1650 void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
1651 uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1652 //TODO add selection of chip for Q5 or T55x7
1653 // data[0] = (((64-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 2 << T5555_MAXBLOCK_SHIFT;
1654
1655 LED_D_ON();
1656 // Program the data blocks for supplied ID
1657 // and the block 0 config
1658 WriteT55xx(data, 0, 3);
1659
1660 LED_D_OFF();
1661
1662 DbpString("DONE!");
1663 }
1664
1665 // Clone Indala 64-bit tag by UID to T55x7
1666 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
1667 //Program the 2 data blocks for supplied 64bit UID
1668 // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
1669 uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1670 //TODO add selection of chip for Q5 or T55x7
1671 // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
1672
1673 WriteT55xx(data, 0, 3);
1674 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
1675 // T5567WriteBlock(0x603E1042,0);
1676 DbpString("DONE!");
1677 }
1678 // Clone Indala 224-bit tag by UID to T55x7
1679 void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
1680 //Program the 7 data blocks for supplied 224bit UID
1681 uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
1682 // and the block 0 for Indala224 format
1683 //Config for Indala (RF/32;PSK2 with RF/2;Maxblock=7)
1684 data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT);
1685 //TODO add selection of chip for Q5 or T55x7
1686 // data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK2 | 7 << T5555_MAXBLOCK_SHIFT;
1687 WriteT55xx(data, 0, 8);
1688 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
1689 // T5567WriteBlock(0x603E10E2,0);
1690 DbpString("DONE!");
1691 }
1692 // clone viking tag to T55xx
1693 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
1694 uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
1695 if (Q5) data[0] = T5555_SET_BITRATE(32) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
1696 // Program the data blocks for supplied ID and the block 0 config
1697 WriteT55xx(data, 0, 3);
1698 LED_D_OFF();
1699 cmd_send(CMD_ACK,0,0,0,0,0);
1700 }
1701
1702 // Define 9bit header for EM410x tags
1703 #define EM410X_HEADER 0x1FF
1704 #define EM410X_ID_LENGTH 40
1705
1706 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
1707 int i, id_bit;
1708 uint64_t id = EM410X_HEADER;
1709 uint64_t rev_id = 0; // reversed ID
1710 int c_parity[4]; // column parity
1711 int r_parity = 0; // row parity
1712 uint32_t clock = 0;
1713
1714 // Reverse ID bits given as parameter (for simpler operations)
1715 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1716 if (i < 32) {
1717 rev_id = (rev_id << 1) | (id_lo & 1);
1718 id_lo >>= 1;
1719 } else {
1720 rev_id = (rev_id << 1) | (id_hi & 1);
1721 id_hi >>= 1;
1722 }
1723 }
1724
1725 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1726 id_bit = rev_id & 1;
1727
1728 if (i % 4 == 0) {
1729 // Don't write row parity bit at start of parsing
1730 if (i)
1731 id = (id << 1) | r_parity;
1732 // Start counting parity for new row
1733 r_parity = id_bit;
1734 } else {
1735 // Count row parity
1736 r_parity ^= id_bit;
1737 }
1738
1739 // First elements in column?
1740 if (i < 4)
1741 // Fill out first elements
1742 c_parity[i] = id_bit;
1743 else
1744 // Count column parity
1745 c_parity[i % 4] ^= id_bit;
1746
1747 // Insert ID bit
1748 id = (id << 1) | id_bit;
1749 rev_id >>= 1;
1750 }
1751
1752 // Insert parity bit of last row
1753 id = (id << 1) | r_parity;
1754
1755 // Fill out column parity at the end of tag
1756 for (i = 0; i < 4; ++i)
1757 id = (id << 1) | c_parity[i];
1758
1759 // Add stop bit
1760 id <<= 1;
1761
1762 Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
1763 LED_D_ON();
1764
1765 // Write EM410x ID
1766 uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)};
1767
1768 clock = (card & 0xFF00) >> 8;
1769 clock = (clock == 0) ? 64 : clock;
1770 Dbprintf("Clock rate: %d", clock);
1771 if (card & 0xFF) { //t55x7
1772 clock = GetT55xxClockBit(clock);
1773 if (clock == 0) {
1774 Dbprintf("Invalid clock rate: %d", clock);
1775 return;
1776 }
1777 data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
1778 } else { //t5555 (Q5)
1779 data[0] = T5555_SET_BITRATE(clock) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
1780 }
1781
1782 WriteT55xx(data, 0, 3);
1783
1784 LED_D_OFF();
1785 Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555",
1786 (uint32_t)(id >> 32), (uint32_t)id);
1787 }
1788
1789 //-----------------------------------
1790 // EM4469 / EM4305 routines
1791 //-----------------------------------
1792 #define FWD_CMD_LOGIN 0xC //including the even parity, binary mirrored
1793 #define FWD_CMD_WRITE 0xA
1794 #define FWD_CMD_READ 0x9
1795 #define FWD_CMD_DISABLE 0x5
1796 #define FWD_CMD_PROTECT 0x3
1797
1798 uint8_t forwardLink_data[64]; //array of forwarded bits
1799 uint8_t * forward_ptr; //ptr for forward message preparation
1800 uint8_t fwd_bit_sz; //forwardlink bit counter
1801 uint8_t * fwd_write_ptr; //forwardlink bit pointer
1802
1803 //====================================================================
1804 // prepares command bits
1805 // see EM4469 spec
1806 //====================================================================
1807 //--------------------------------------------------------------------
1808 // VALUES TAKEN FROM EM4x function: SendForward
1809 // START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
1810 // WRITE_GAP = 128; (16*8)
1811 // WRITE_1 = 256 32*8; (32*8)
1812
1813 // These timings work for 4469/4269/4305 (with the 55*8 above)
1814 // WRITE_0 = 23*8 , 9*8 SpinDelayUs(23*8);
1815
1816 uint8_t Prepare_Cmd( uint8_t cmd ) {
1817
1818 *forward_ptr++ = 0; //start bit
1819 *forward_ptr++ = 0; //second pause for 4050 code
1820
1821 *forward_ptr++ = cmd;
1822 cmd >>= 1;
1823 *forward_ptr++ = cmd;
1824 cmd >>= 1;
1825 *forward_ptr++ = cmd;
1826 cmd >>= 1;
1827 *forward_ptr++ = cmd;
1828
1829 return 6; //return number of emited bits
1830 }
1831
1832 //====================================================================
1833 // prepares address bits
1834 // see EM4469 spec
1835 //====================================================================
1836 uint8_t Prepare_Addr( uint8_t addr ) {
1837
1838 register uint8_t line_parity;
1839
1840 uint8_t i;
1841 line_parity = 0;
1842 for(i=0;i<6;i++) {
1843 *forward_ptr++ = addr;
1844 line_parity ^= addr;
1845 addr >>= 1;
1846 }
1847
1848 *forward_ptr++ = (line_parity & 1);
1849
1850 return 7; //return number of emited bits
1851 }
1852
1853 //====================================================================
1854 // prepares data bits intreleaved with parity bits
1855 // see EM4469 spec
1856 //====================================================================
1857 uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
1858
1859 register uint8_t line_parity;
1860 register uint8_t column_parity;
1861 register uint8_t i, j;
1862 register uint16_t data;
1863
1864 data = data_low;
1865 column_parity = 0;
1866
1867 for(i=0; i<4; i++) {
1868 line_parity = 0;
1869 for(j=0; j<8; j++) {
1870 line_parity ^= data;
1871 column_parity ^= (data & 1) << j;
1872 *forward_ptr++ = data;
1873 data >>= 1;
1874 }
1875 *forward_ptr++ = line_parity;
1876 if(i == 1)
1877 data = data_hi;
1878 }
1879
1880 for(j=0; j<8; j++) {
1881 *forward_ptr++ = column_parity;
1882 column_parity >>= 1;
1883 }
1884 *forward_ptr = 0;
1885
1886 return 45; //return number of emited bits
1887 }
1888
1889 //====================================================================
1890 // Forward Link send function
1891 // Requires: forwarLink_data filled with valid bits (1 bit per byte)
1892 // fwd_bit_count set with number of bits to be sent
1893 //====================================================================
1894 void SendForward(uint8_t fwd_bit_count) {
1895
1896 fwd_write_ptr = forwardLink_data;
1897 fwd_bit_sz = fwd_bit_count;
1898
1899 // Set up FPGA, 125kHz or 95 divisor
1900 LFSetupFPGAForADC(95, true);
1901
1902 // force 1st mod pulse (start gap must be longer for 4305)
1903 fwd_bit_sz--; //prepare next bit modulation
1904 fwd_write_ptr++;
1905 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1906 WaitUS(55*8); //55 cycles off (8us each)for 4305 //another reader has 37 here...
1907 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1908 WaitUS(18*8); //18 cycles on (8us each)
1909
1910 // now start writting
1911 while(fwd_bit_sz-- > 0) { //prepare next bit modulation
1912 if(((*fwd_write_ptr++) & 1) == 1)
1913 WaitUS(32*8); //32 cycles at 125Khz (8us each)
1914 else {
1915 //These timings work for 4469/4269/4305 (with the 55*8 above)
1916 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1917 WaitUS(23*8); //23 cycles off (8us each)
1918 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1919 WaitUS(18*8); //18 cycles on (8us each)
1920 }
1921 }
1922 }
1923
1924 void EM4xLogin(uint32_t Password) {
1925
1926 uint8_t fwd_bit_count;
1927
1928 forward_ptr = forwardLink_data;
1929 fwd_bit_count = Prepare_Cmd( FWD_CMD_LOGIN );
1930 fwd_bit_count += Prepare_Data( Password&0xFFFF, Password>>16 );
1931
1932 SendForward(fwd_bit_count);
1933
1934 //Wait for command to complete
1935 SpinDelay(20);
1936 }
1937
1938 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
1939
1940 uint8_t fwd_bit_count;
1941
1942 // Clear destination buffer before sending the command
1943 BigBuf_Clear_ext(false);
1944
1945 LED_A_ON();
1946 StartTicks();
1947 //If password mode do login
1948 if (PwdMode == 1) EM4xLogin(Pwd);
1949
1950 forward_ptr = forwardLink_data;
1951 fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
1952 fwd_bit_count += Prepare_Addr( Address );
1953
1954 SendForward(fwd_bit_count);
1955 WaitUS(400);
1956 // Now do the acquisition
1957 DoPartialAcquisition(20, true, 6000, 1000);
1958
1959 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1960 LED_A_OFF();
1961 cmd_send(CMD_ACK,0,0,0,0,0);
1962 }
1963
1964 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
1965
1966 bool PwdMode = (flag & 0x1);
1967 uint8_t Address = (flag >> 8) & 0xFF;
1968 uint8_t fwd_bit_count;
1969
1970 //clear buffer now so it does not interfere with timing later
1971 BigBuf_Clear_ext(false);
1972
1973 LED_A_ON();
1974 StartTicks();
1975 //If password mode do login
1976 if (PwdMode) EM4xLogin(Pwd);
1977
1978 forward_ptr = forwardLink_data;
1979 fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
1980 fwd_bit_count += Prepare_Addr( Address );
1981 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
1982
1983 SendForward(fwd_bit_count);
1984
1985 //Wait for write to complete
1986 //SpinDelay(10);
1987
1988 WaitUS(6500);
1989 //Capture response if one exists
1990 DoPartialAcquisition(20, true, 6000, 1000);
1991
1992 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1993 LED_A_OFF();
1994 cmd_send(CMD_ACK,0,0,0,0,0);
1995 }
1996
1997 void EM4xProtect(uint32_t flag, uint32_t Data, uint32_t Pwd) {
1998
1999 bool PwdMode = (flag & 0x1);
2000 uint8_t fwd_bit_count;
2001
2002 //clear buffer now so it does not interfere with timing later
2003 BigBuf_Clear_ext(false);
2004
2005 LED_A_ON();
2006 StartTicks();
2007 //If password mode do login
2008 if (PwdMode) EM4xLogin(Pwd);
2009
2010 forward_ptr = forwardLink_data;
2011 fwd_bit_count = Prepare_Cmd( FWD_CMD_PROTECT );
2012
2013 //unsure if this needs the full packet config...
2014 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
2015
2016 SendForward(fwd_bit_count);
2017
2018 //Wait for write to complete
2019 //SpinDelay(10);
2020
2021 WaitUS(6500);
2022 //Capture response if one exists
2023 DoPartialAcquisition(20, true, 6000, 1000);
2024
2025 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
2026 LED_A_OFF();
2027 cmd_send(CMD_ACK,0,0,0,0,0);
2028 }
2029 /*
2030 Reading a COTAG.
2031
2032 COTAG needs the reader to send a startsequence and the card has an extreme slow datarate.
2033 because of this, we can "sample" the data signal but we interpreate it to Manchester direct.
2034
2035 READER START SEQUENCE:
2036 burst 800 us, gap 2.2 msecs
2037 burst 3.6 msecs gap 2.2 msecs
2038 burst 800 us gap 2.2 msecs
2039 pulse 3.6 msecs
2040
2041 This triggers a COTAG tag to response
2042 */
2043 void Cotag(uint32_t arg0) {
2044
2045 #define OFF { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2035); }
2046 #define ON(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
2047
2048 uint8_t rawsignal = arg0 & 0xF;
2049
2050 LED_A_ON();
2051
2052 // Switching to LF image on FPGA. This might empty BigBuff
2053 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
2054
2055 //clear buffer now so it does not interfere with timing later
2056 BigBuf_Clear_ext(false);
2057
2058 // Set up FPGA, 132kHz to power up the tag
2059 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89);
2060 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
2061
2062 // Connect the A/D to the peak-detected low-frequency path.
2063 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
2064
2065 // Now set up the SSC to get the ADC samples that are now streaming at us.
2066 FpgaSetupSsc(FPGA_MAJOR_MODE_LF_ADC);
2067
2068 // start clock - 1.5ticks is 1us
2069 StartTicks();
2070
2071 //send COTAG start pulse
2072 ON(740) OFF
2073 ON(3330) OFF
2074 ON(740) OFF
2075 ON(1000)
2076
2077 switch(rawsignal) {
2078 case 0: doCotagAcquisition(50000); break;
2079 case 1: doCotagAcquisitionManchester(); break;
2080 case 2: DoAcquisition_config(true, 0); break;
2081 }
2082
2083 // Turn the field off
2084 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
2085 cmd_send(CMD_ACK,0,0,0,0,0);
2086 LED_A_OFF();
2087 }
Proxmark3 GIT tracking
Impressum, Datenschutz