]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/fpgaloader.c
fix emv search behavior
[proxmark3-svn] / armsrc / fpgaloader.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, April 2006
3 // iZsh <izsh at fail0verflow.com>, 2014
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // Routines to load the FPGA image, and then to configure the FPGA's major
10 // mode once it is configured.
11 //-----------------------------------------------------------------------------
12
13 #include "fpgaloader.h"
14
15 #include <stdint.h>
16 #include <stddef.h>
17 #include <stdbool.h>
18 #include "apps.h"
19 #include "fpga.h"
20 #include "proxmark3.h"
21 #include "util.h"
22 #include "string.h"
23 #include "BigBuf.h"
24 #include "zlib.h"
25
26 // remember which version of the bitstream we have already downloaded to the FPGA
27 static int downloaded_bitstream = 0;
28
29 // this is where the bitstreams are located in memory:
30 extern uint8_t _binary_obj_fpga_all_bit_z_start, _binary_obj_fpga_all_bit_z_end;
31
32 static uint8_t *fpga_image_ptr = NULL;
33 static uint32_t uncompressed_bytes_cnt;
34
35 #define OUTPUT_BUFFER_LEN 80
36
37 //-----------------------------------------------------------------------------
38 // Set up the Serial Peripheral Interface as master
39 // Used to write the FPGA config word
40 // May also be used to write to other SPI attached devices like an LCD
41 //-----------------------------------------------------------------------------
42 void SetupSpi(int mode)
43 {
44 // PA10 -> SPI_NCS2 chip select (LCD)
45 // PA11 -> SPI_NCS0 chip select (FPGA)
46 // PA12 -> SPI_MISO Master-In Slave-Out
47 // PA13 -> SPI_MOSI Master-Out Slave-In
48 // PA14 -> SPI_SPCK Serial Clock
49
50 // Disable PIO control of the following pins, allows use by the SPI peripheral
51 AT91C_BASE_PIOA->PIO_PDR =
52 GPIO_NCS0 |
53 GPIO_NCS2 |
54 GPIO_MISO |
55 GPIO_MOSI |
56 GPIO_SPCK;
57
58 AT91C_BASE_PIOA->PIO_ASR =
59 GPIO_NCS0 |
60 GPIO_MISO |
61 GPIO_MOSI |
62 GPIO_SPCK;
63
64 AT91C_BASE_PIOA->PIO_BSR = GPIO_NCS2;
65
66 //enable the SPI Peripheral clock
67 AT91C_BASE_PMC->PMC_PCER = (1<<AT91C_ID_SPI);
68 // Enable SPI
69 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SPIEN;
70
71 switch (mode) {
72 case SPI_FPGA_MODE:
73 AT91C_BASE_SPI->SPI_MR =
74 ( 0 << 24) | // Delay between chip selects (take default: 6 MCK periods)
75 (14 << 16) | // Peripheral Chip Select (selects FPGA SPI_NCS0 or PA11)
76 ( 0 << 7) | // Local Loopback Disabled
77 ( 1 << 4) | // Mode Fault Detection disabled
78 ( 0 << 2) | // Chip selects connected directly to peripheral
79 ( 0 << 1) | // Fixed Peripheral Select
80 ( 1 << 0); // Master Mode
81 AT91C_BASE_SPI->SPI_CSR[0] =
82 ( 1 << 24) | // Delay between Consecutive Transfers (32 MCK periods)
83 ( 1 << 16) | // Delay Before SPCK (1 MCK period)
84 ( 6 << 8) | // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
85 ( 8 << 4) | // Bits per Transfer (16 bits)
86 ( 0 << 3) | // Chip Select inactive after transfer
87 ( 1 << 1) | // Clock Phase data captured on leading edge, changes on following edge
88 ( 0 << 0); // Clock Polarity inactive state is logic 0
89 break;
90 case SPI_LCD_MODE:
91 AT91C_BASE_SPI->SPI_MR =
92 ( 0 << 24) | // Delay between chip selects (take default: 6 MCK periods)
93 (11 << 16) | // Peripheral Chip Select (selects LCD SPI_NCS2 or PA10)
94 ( 0 << 7) | // Local Loopback Disabled
95 ( 1 << 4) | // Mode Fault Detection disabled
96 ( 0 << 2) | // Chip selects connected directly to peripheral
97 ( 0 << 1) | // Fixed Peripheral Select
98 ( 1 << 0); // Master Mode
99 AT91C_BASE_SPI->SPI_CSR[2] =
100 ( 1 << 24) | // Delay between Consecutive Transfers (32 MCK periods)
101 ( 1 << 16) | // Delay Before SPCK (1 MCK period)
102 ( 6 << 8) | // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
103 ( 1 << 4) | // Bits per Transfer (9 bits)
104 ( 0 << 3) | // Chip Select inactive after transfer
105 ( 1 << 1) | // Clock Phase data captured on leading edge, changes on following edge
106 ( 0 << 0); // Clock Polarity inactive state is logic 0
107 break;
108 default: // Disable SPI
109 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SPIDIS;
110 break;
111 }
112 }
113
114 //-----------------------------------------------------------------------------
115 // Set up the synchronous serial port with the set of options that fits
116 // the FPGA mode. Both RX and TX are always enabled.
117 //-----------------------------------------------------------------------------
118 void FpgaSetupSsc(uint8_t FPGA_mode)
119 {
120 // First configure the GPIOs, and get ourselves a clock.
121 AT91C_BASE_PIOA->PIO_ASR =
122 GPIO_SSC_FRAME |
123 GPIO_SSC_DIN |
124 GPIO_SSC_DOUT |
125 GPIO_SSC_CLK;
126 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
127
128 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_SSC);
129
130 // Now set up the SSC proper, starting from a known state.
131 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
132
133 // RX clock comes from TX clock, RX starts on Transmit Start,
134 // data and frame signal is sampled on falling edge of RK
135 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(1) | SSC_CLOCK_MODE_START(1);
136
137 // 8, 16 or 32 bits per transfer, no loopback, MSB first, 1 transfer per sync
138 // pulse, no output sync
139 if ((FPGA_mode & 0xe0) == FPGA_MAJOR_MODE_HF_READER && FpgaGetCurrent() == FPGA_BITSTREAM_HF) {
140 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
141 } else {
142 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
143 }
144
145 // TX clock comes from TK pin, no clock output, outputs change on falling
146 // edge of TK, frame sync is sampled on rising edge of TK, start TX on rising edge of TF
147 AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) | SSC_CLOCK_MODE_START(5);
148
149 // tx framing is the same as the rx framing
150 AT91C_BASE_SSC->SSC_TFMR = AT91C_BASE_SSC->SSC_RFMR;
151
152 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
153 }
154
155 //-----------------------------------------------------------------------------
156 // Set up DMA to receive samples from the FPGA. We will use the PDC, with
157 // a single buffer as a circular buffer (so that we just chain back to
158 // ourselves, not to another buffer). The stuff to manipulate those buffers
159 // is in apps.h, because it should be inlined, for speed.
160 //-----------------------------------------------------------------------------
161 bool FpgaSetupSscDma(uint8_t *buf, uint16_t sample_count)
162 {
163 if (buf == NULL) return false;
164
165 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; // Disable DMA Transfer
166 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf; // transfer to this memory address
167 AT91C_BASE_PDC_SSC->PDC_RCR = sample_count; // transfer this many samples
168 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf; // next transfer to same memory address
169 AT91C_BASE_PDC_SSC->PDC_RNCR = sample_count; // ... with same number of samples
170 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN; // go!
171 return true;
172 }
173
174
175 //----------------------------------------------------------------------------
176 // Uncompress (inflate) the FPGA data. Returns one decompressed byte with
177 // each call.
178 //----------------------------------------------------------------------------
179 static int get_from_fpga_combined_stream(z_streamp compressed_fpga_stream, uint8_t *output_buffer)
180 {
181 if (fpga_image_ptr == compressed_fpga_stream->next_out) { // need more data
182 compressed_fpga_stream->next_out = output_buffer;
183 compressed_fpga_stream->avail_out = OUTPUT_BUFFER_LEN;
184 fpga_image_ptr = output_buffer;
185 int res = inflate(compressed_fpga_stream, Z_SYNC_FLUSH);
186 if (res != Z_OK)
187 Dbprintf("inflate returned: %d, %s", res, compressed_fpga_stream->msg);
188
189 if (res < 0)
190 return res;
191 }
192
193 uncompressed_bytes_cnt++;
194
195 return *fpga_image_ptr++;
196 }
197
198 //----------------------------------------------------------------------------
199 // Undo the interleaving of several FPGA config files. FPGA config files
200 // are combined into one big file:
201 // 288 bytes from FPGA file 1, followed by 288 bytes from FGPA file 2, etc.
202 //----------------------------------------------------------------------------
203 static int get_from_fpga_stream(int bitstream_version, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
204 {
205 while((uncompressed_bytes_cnt / FPGA_INTERLEAVE_SIZE) % fpga_bitstream_num != (bitstream_version - 1)) {
206 // skip undesired data belonging to other bitstream_versions
207 get_from_fpga_combined_stream(compressed_fpga_stream, output_buffer);
208 }
209
210 return get_from_fpga_combined_stream(compressed_fpga_stream, output_buffer);
211
212 }
213
214
215 static voidpf fpga_inflate_malloc(voidpf opaque, uInt items, uInt size)
216 {
217 return BigBuf_malloc(items*size);
218 }
219
220
221 static void fpga_inflate_free(voidpf opaque, voidpf address)
222 {
223 BigBuf_free(); BigBuf_Clear_ext(false);
224 }
225
226
227 //----------------------------------------------------------------------------
228 // Initialize decompression of the respective (HF or LF) FPGA stream
229 //----------------------------------------------------------------------------
230 static bool reset_fpga_stream(int bitstream_version, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
231 {
232 uint8_t header[FPGA_BITSTREAM_FIXED_HEADER_SIZE];
233
234 uncompressed_bytes_cnt = 0;
235
236 // initialize z_stream structure for inflate:
237 compressed_fpga_stream->next_in = &_binary_obj_fpga_all_bit_z_start;
238 compressed_fpga_stream->avail_in = &_binary_obj_fpga_all_bit_z_end - &_binary_obj_fpga_all_bit_z_start;
239 compressed_fpga_stream->next_out = output_buffer;
240 compressed_fpga_stream->avail_out = OUTPUT_BUFFER_LEN;
241 compressed_fpga_stream->zalloc = &fpga_inflate_malloc;
242 compressed_fpga_stream->zfree = &fpga_inflate_free;
243
244 inflateInit2(compressed_fpga_stream, 0);
245
246 fpga_image_ptr = output_buffer;
247
248 for (uint16_t i = 0; i < FPGA_BITSTREAM_FIXED_HEADER_SIZE; i++) {
249 header[i] = get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
250 }
251
252 // Check for a valid .bit file (starts with bitparse_fixed_header)
253 if(memcmp(bitparse_fixed_header, header, FPGA_BITSTREAM_FIXED_HEADER_SIZE) == 0) {
254 return true;
255 } else {
256 return false;
257 }
258 }
259
260
261 static void DownloadFPGA_byte(unsigned char w)
262 {
263 #define SEND_BIT(x) { if(w & (1<<x) ) HIGH(GPIO_FPGA_DIN); else LOW(GPIO_FPGA_DIN); HIGH(GPIO_FPGA_CCLK); LOW(GPIO_FPGA_CCLK); }
264 SEND_BIT(7);
265 SEND_BIT(6);
266 SEND_BIT(5);
267 SEND_BIT(4);
268 SEND_BIT(3);
269 SEND_BIT(2);
270 SEND_BIT(1);
271 SEND_BIT(0);
272 }
273
274 // Download the fpga image starting at current stream position with length FpgaImageLen bytes
275 static void DownloadFPGA(int bitstream_version, int FpgaImageLen, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
276 {
277
278 //Dbprintf("DownloadFPGA(len: %d)", FpgaImageLen);
279
280 int i=0;
281
282 AT91C_BASE_PIOA->PIO_OER = GPIO_FPGA_ON;
283 AT91C_BASE_PIOA->PIO_PER = GPIO_FPGA_ON;
284 HIGH(GPIO_FPGA_ON); // ensure everything is powered on
285
286 SpinDelay(50);
287
288 LED_D_ON();
289
290 // These pins are inputs
291 AT91C_BASE_PIOA->PIO_ODR =
292 GPIO_FPGA_NINIT |
293 GPIO_FPGA_DONE;
294 // PIO controls the following pins
295 AT91C_BASE_PIOA->PIO_PER =
296 GPIO_FPGA_NINIT |
297 GPIO_FPGA_DONE;
298 // Enable pull-ups
299 AT91C_BASE_PIOA->PIO_PPUER =
300 GPIO_FPGA_NINIT |
301 GPIO_FPGA_DONE;
302
303 // setup initial logic state
304 HIGH(GPIO_FPGA_NPROGRAM);
305 LOW(GPIO_FPGA_CCLK);
306 LOW(GPIO_FPGA_DIN);
307 // These pins are outputs
308 AT91C_BASE_PIOA->PIO_OER =
309 GPIO_FPGA_NPROGRAM |
310 GPIO_FPGA_CCLK |
311 GPIO_FPGA_DIN;
312
313 // enter FPGA configuration mode
314 LOW(GPIO_FPGA_NPROGRAM);
315 SpinDelay(50);
316 HIGH(GPIO_FPGA_NPROGRAM);
317
318 i=100000;
319 // wait for FPGA ready to accept data signal
320 while ((i) && ( !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_FPGA_NINIT ) ) ) {
321 i--;
322 }
323
324 // crude error indicator, leave both red LEDs on and return
325 if (i==0){
326 LED_C_ON();
327 LED_D_ON();
328 return;
329 }
330
331 for(i = 0; i < FpgaImageLen; i++) {
332 int b = get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
333 if (b < 0) {
334 Dbprintf("Error %d during FpgaDownload", b);
335 break;
336 }
337 DownloadFPGA_byte(b);
338 }
339
340 // continue to clock FPGA until ready signal goes high
341 i=100000;
342 while ( (i--) && ( !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_FPGA_DONE ) ) ) {
343 HIGH(GPIO_FPGA_CCLK);
344 LOW(GPIO_FPGA_CCLK);
345 }
346 // crude error indicator, leave both red LEDs on and return
347 if (i==0){
348 LED_C_ON();
349 LED_D_ON();
350 return;
351 }
352 LED_D_OFF();
353 }
354
355
356 /* Simple Xilinx .bit parser. The file starts with the fixed opaque byte sequence
357 * 00 09 0f f0 0f f0 0f f0 0f f0 00 00 01
358 * After that the format is 1 byte section type (ASCII character), 2 byte length
359 * (big endian), <length> bytes content. Except for section 'e' which has 4 bytes
360 * length.
361 */
362 static int bitparse_find_section(int bitstream_version, char section_name, unsigned int *section_length, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
363 {
364 int result = 0;
365 #define MAX_FPGA_BIT_STREAM_HEADER_SEARCH 100 // maximum number of bytes to search for the requested section
366 uint16_t numbytes = 0;
367 while(numbytes < MAX_FPGA_BIT_STREAM_HEADER_SEARCH) {
368 char current_name = get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
369 numbytes++;
370 unsigned int current_length = 0;
371 if(current_name < 'a' || current_name > 'e') {
372 /* Strange section name, abort */
373 break;
374 }
375 current_length = 0;
376 switch(current_name) {
377 case 'e':
378 /* Four byte length field */
379 current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 24;
380 current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 16;
381 numbytes += 2;
382 default: /* Fall through, two byte length field */
383 current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 8;
384 current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 0;
385 numbytes += 2;
386 }
387
388 if(current_name != 'e' && current_length > 255) {
389 /* Maybe a parse error */
390 break;
391 }
392
393 if(current_name == section_name) {
394 /* Found it */
395 *section_length = current_length;
396 result = 1;
397 break;
398 }
399
400 for (uint16_t i = 0; i < current_length && numbytes < MAX_FPGA_BIT_STREAM_HEADER_SEARCH; i++) {
401 get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
402 numbytes++;
403 }
404 }
405
406 return result;
407 }
408
409
410 //----------------------------------------------------------------------------
411 // Check which FPGA image is currently loaded (if any). If necessary
412 // decompress and load the correct (HF or LF) image to the FPGA
413 //----------------------------------------------------------------------------
414 void FpgaDownloadAndGo(int bitstream_version)
415 {
416 z_stream compressed_fpga_stream;
417 uint8_t output_buffer[OUTPUT_BUFFER_LEN] = {0x00};
418
419 // check whether or not the bitstream is already loaded
420 if (downloaded_bitstream == bitstream_version) {
421 FpgaEnableTracing();
422 return;
423 }
424
425 // make sure that we have enough memory to decompress
426 BigBuf_free(); BigBuf_Clear_ext(false);
427
428 if (!reset_fpga_stream(bitstream_version, &compressed_fpga_stream, output_buffer)) {
429 return;
430 }
431
432 unsigned int bitstream_length;
433 if (bitparse_find_section(bitstream_version, 'e', &bitstream_length, &compressed_fpga_stream, output_buffer)) {
434 DownloadFPGA(bitstream_version, bitstream_length, &compressed_fpga_stream, output_buffer);
435 downloaded_bitstream = bitstream_version;
436 }
437
438 inflateEnd(&compressed_fpga_stream);
439
440 // turn off antenna
441 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
442
443 // free eventually allocated BigBuf memory
444 BigBuf_free(); BigBuf_Clear_ext(false);
445 }
446
447
448 //-----------------------------------------------------------------------------
449 // Send a 16 bit command/data pair to the FPGA.
450 // The bit format is: C3 C2 C1 C0 D11 D10 D9 D8 D7 D6 D5 D4 D3 D2 D1 D0
451 // where C is the 4 bit command and D is the 12 bit data
452 //-----------------------------------------------------------------------------
453 void FpgaSendCommand(uint16_t cmd, uint16_t v)
454 {
455 SetupSpi(SPI_FPGA_MODE);
456 while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0); // wait for the transfer to complete
457 AT91C_BASE_SPI->SPI_TDR = AT91C_SPI_LASTXFER | cmd | v; // send the data
458 }
459
460 //-----------------------------------------------------------------------------
461 // Write the FPGA setup word (that determines what mode the logic is in, read
462 // vs. clone vs. etc.). This is now a special case of FpgaSendCommand() to
463 // avoid changing this function's occurence everywhere in the source code.
464 //-----------------------------------------------------------------------------
465 void FpgaWriteConfWord(uint16_t v)
466 {
467 FpgaSendCommand(FPGA_CMD_SET_CONFREG, v);
468 }
469
470 //-----------------------------------------------------------------------------
471 // enable/disable FPGA internal tracing
472 //-----------------------------------------------------------------------------
473 void FpgaEnableTracing(void)
474 {
475 FpgaSendCommand(FPGA_CMD_TRACE_ENABLE, 1);
476 }
477
478 void FpgaDisableTracing(void)
479 {
480 FpgaSendCommand(FPGA_CMD_TRACE_ENABLE, 0);
481 }
482
483 //-----------------------------------------------------------------------------
484 // Set up the CMOS switches that mux the ADC: four switches, independently
485 // closable, but should only close one at a time. Not an FPGA thing, but
486 // the samples from the ADC always flow through the FPGA.
487 //-----------------------------------------------------------------------------
488 void SetAdcMuxFor(uint32_t whichGpio)
489 {
490 AT91C_BASE_PIOA->PIO_OER =
491 GPIO_MUXSEL_HIPKD |
492 GPIO_MUXSEL_LOPKD |
493 GPIO_MUXSEL_LORAW |
494 GPIO_MUXSEL_HIRAW;
495
496 AT91C_BASE_PIOA->PIO_PER =
497 GPIO_MUXSEL_HIPKD |
498 GPIO_MUXSEL_LOPKD |
499 GPIO_MUXSEL_LORAW |
500 GPIO_MUXSEL_HIRAW;
501
502 LOW(GPIO_MUXSEL_HIPKD);
503 LOW(GPIO_MUXSEL_HIRAW);
504 LOW(GPIO_MUXSEL_LORAW);
505 LOW(GPIO_MUXSEL_LOPKD);
506
507 HIGH(whichGpio);
508 }
509
510 void Fpga_print_status(void) {
511 Dbprintf("Currently loaded FPGA image:");
512 Dbprintf(" %s", fpga_version_information[downloaded_bitstream-1]);
513 }
514
515 int FpgaGetCurrent() {
516 return downloaded_bitstream;
517 }
Impressum, Datenschutz