]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/lfops.c
FIX: `hf mf sim` - authentication works again.
[proxmark3-svn] / armsrc / lfops.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Miscellaneous routines for low frequency tag operations.
7 // Tags supported here so far are Texas Instruments (TI), HID
8 // Also routines for raw mode reading/simulating of LF waveform
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "hitag2.h"
15 #include "crc16.h"
16 #include "string.h"
17 #include "lfdemod.h"
18 #include "lfsampling.h"
19 #include "protocols.h"
20 #include "usb_cdc.h" // for usb_poll_validate_length
21
22 #ifndef SHORT_COIL
23 # define SHORT_COIL() LOW(GPIO_SSC_DOUT)
24 #endif
25 #ifndef OPEN_COIL
26 # define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
27 #endif
28
29 /**
30 * Function to do a modulation and then get samples.
31 * @param delay_off
32 * @param periods 0xFFFF0000 is period_0, 0x0000FFFF is period_1
33 * @param useHighFreg
34 * @param command
35 */
36 void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t periods, uint32_t useHighFreq, uint8_t *command)
37 {
38 /* Make sure the tag is reset */
39 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
40 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
41 SpinDelay(200);
42
43 uint16_t period_0 = periods >> 16;
44 uint16_t period_1 = periods & 0xFFFF;
45
46 // 95 == 125 KHz 88 == 134.8 KHz
47 int divisor_used = (useHighFreq) ? 88 : 95;
48 sample_config sc = { 0,0,1, divisor_used, 0};
49 setSamplingConfig(&sc);
50
51 //clear read buffer
52 BigBuf_Clear_keep_EM();
53
54 LFSetupFPGAForADC(sc.divisor, 1);
55
56 // And a little more time for the tag to fully power up
57 SpinDelay(50);
58
59 // now modulate the reader field
60 while(*command != '\0' && *command != ' ') {
61 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
62 LED_D_OFF();
63 WaitUS(delay_off);
64 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
65
66 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
67 LED_D_ON();
68 if(*(command++) == '0')
69 WaitUS(period_0);
70 else
71 WaitUS(period_1);
72 }
73 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
74 LED_D_OFF();
75 WaitUS(delay_off);
76 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
77 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
78
79 // now do the read
80 DoAcquisition_config(false);
81
82 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
83 }
84
85 /* blank r/w tag data stream
86 ...0000000000000000 01111111
87 1010101010101010101010101010101010101010101010101010101010101010
88 0011010010100001
89 01111111
90 101010101010101[0]000...
91
92 [5555fe852c5555555555555555fe0000]
93 */
94 void ReadTItag(void)
95 {
96 StartTicks();
97 // some hardcoded initial params
98 // when we read a TI tag we sample the zerocross line at 2Mhz
99 // TI tags modulate a 1 as 16 cycles of 123.2Khz
100 // TI tags modulate a 0 as 16 cycles of 134.2Khz
101 #define FSAMPLE 2000000
102 #define FREQLO 123200
103 #define FREQHI 134200
104
105 signed char *dest = (signed char *)BigBuf_get_addr();
106 uint16_t n = BigBuf_max_traceLen();
107 // 128 bit shift register [shift3:shift2:shift1:shift0]
108 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
109
110 int i, cycles=0, samples=0;
111 // how many sample points fit in 16 cycles of each frequency
112 uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;
113 // when to tell if we're close enough to one freq or another
114 uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
115
116 // TI tags charge at 134.2Khz
117 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
118 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
119
120 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
121 // connects to SSP_DIN and the SSP_DOUT logic level controls
122 // whether we're modulating the antenna (high)
123 // or listening to the antenna (low)
124 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
125
126 // get TI tag data into the buffer
127 AcquireTiType();
128
129 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
130
131 for (i=0; i<n-1; i++) {
132 // count cycles by looking for lo to hi zero crossings
133 if ( (dest[i]<0) && (dest[i+1]>0) ) {
134 cycles++;
135 // after 16 cycles, measure the frequency
136 if (cycles>15) {
137 cycles=0;
138 samples=i-samples; // number of samples in these 16 cycles
139
140 // TI bits are coming to us lsb first so shift them
141 // right through our 128 bit right shift register
142 shift0 = (shift0>>1) | (shift1 << 31);
143 shift1 = (shift1>>1) | (shift2 << 31);
144 shift2 = (shift2>>1) | (shift3 << 31);
145 shift3 >>= 1;
146
147 // check if the cycles fall close to the number
148 // expected for either the low or high frequency
149 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {
150 // low frequency represents a 1
151 shift3 |= (1<<31);
152 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {
153 // high frequency represents a 0
154 } else {
155 // probably detected a gay waveform or noise
156 // use this as gaydar or discard shift register and start again
157 shift3 = shift2 = shift1 = shift0 = 0;
158 }
159 samples = i;
160
161 // for each bit we receive, test if we've detected a valid tag
162
163 // if we see 17 zeroes followed by 6 ones, we might have a tag
164 // remember the bits are backwards
165 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {
166 // if start and end bytes match, we have a tag so break out of the loop
167 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {
168 cycles = 0xF0B; //use this as a flag (ugly but whatever)
169 break;
170 }
171 }
172 }
173 }
174 }
175
176 // if flag is set we have a tag
177 if (cycles!=0xF0B) {
178 DbpString("Info: No valid tag detected.");
179 } else {
180 // put 64 bit data into shift1 and shift0
181 shift0 = (shift0>>24) | (shift1 << 8);
182 shift1 = (shift1>>24) | (shift2 << 8);
183
184 // align 16 bit crc into lower half of shift2
185 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;
186
187 // if r/w tag, check ident match
188 if (shift3 & (1<<15) ) {
189 DbpString("Info: TI tag is rewriteable");
190 // only 15 bits compare, last bit of ident is not valid
191 if (((shift3 >> 16) ^ shift0) & 0x7fff ) {
192 DbpString("Error: Ident mismatch!");
193 } else {
194 DbpString("Info: TI tag ident is valid");
195 }
196 } else {
197 DbpString("Info: TI tag is readonly");
198 }
199
200 // WARNING the order of the bytes in which we calc crc below needs checking
201 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
202 // bytes in reverse or something
203 // calculate CRC
204 uint32_t crc=0;
205
206 crc = update_crc16(crc, (shift0)&0xff);
207 crc = update_crc16(crc, (shift0>>8)&0xff);
208 crc = update_crc16(crc, (shift0>>16)&0xff);
209 crc = update_crc16(crc, (shift0>>24)&0xff);
210 crc = update_crc16(crc, (shift1)&0xff);
211 crc = update_crc16(crc, (shift1>>8)&0xff);
212 crc = update_crc16(crc, (shift1>>16)&0xff);
213 crc = update_crc16(crc, (shift1>>24)&0xff);
214
215 Dbprintf("Info: Tag data: %x%08x, crc=%x", (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
216 if (crc != (shift2&0xffff)) {
217 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
218 } else {
219 DbpString("Info: CRC is good");
220 }
221 }
222 StopTicks();
223 }
224
225 void WriteTIbyte(uint8_t b)
226 {
227 int i = 0;
228
229 // modulate 8 bits out to the antenna
230 for (i=0; i<8; i++)
231 {
232 if ( b & ( 1 << i ) ) {
233 // stop modulating antenna 1ms
234 LOW(GPIO_SSC_DOUT);
235 WaitUS(1000);
236 // modulate antenna 1ms
237 HIGH(GPIO_SSC_DOUT);
238 WaitUS(1000);
239 } else {
240 // stop modulating antenna 1ms
241 LOW(GPIO_SSC_DOUT);
242 WaitUS(300);
243 // modulate antenna 1m
244 HIGH(GPIO_SSC_DOUT);
245 WaitUS(1700);
246 }
247 }
248 }
249
250 void AcquireTiType(void)
251 {
252 int i, j, n;
253 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
254 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
255 #define TIBUFLEN 1250
256
257 // clear buffer
258 uint32_t *buf = (uint32_t *)BigBuf_get_addr();
259
260 //clear buffer now so it does not interfere with timing later
261 BigBuf_Clear_ext(false);
262
263 // Set up the synchronous serial port
264 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
265 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
266
267 // steal this pin from the SSP and use it to control the modulation
268 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
269 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
270
271 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
272 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
273
274 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
275 // 48/2 = 24 MHz clock must be divided by 12
276 AT91C_BASE_SSC->SSC_CMR = 12;
277
278 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
279 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
280 AT91C_BASE_SSC->SSC_TCMR = 0;
281 AT91C_BASE_SSC->SSC_TFMR = 0;
282 // iceman, FpgaSetupSsc() ?? the code above? can it be replaced?
283 LED_D_ON();
284
285 // modulate antenna
286 HIGH(GPIO_SSC_DOUT);
287
288 // Charge TI tag for 50ms.
289 WaitMS(50);
290
291 // stop modulating antenna and listen
292 LOW(GPIO_SSC_DOUT);
293
294 LED_D_OFF();
295
296 i = 0;
297 for(;;) {
298 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
299 buf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
300 i++; if(i >= TIBUFLEN) break;
301 }
302 WDT_HIT();
303 }
304
305 // return stolen pin to SSP
306 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
307 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
308
309 char *dest = (char *)BigBuf_get_addr();
310 n = TIBUFLEN * 32;
311
312 // unpack buffer
313 for (i = TIBUFLEN-1; i >= 0; i--) {
314 for (j = 0; j < 32; j++) {
315 if(buf[i] & (1 << j)) {
316 dest[--n] = 1;
317 } else {
318 dest[--n] = -1;
319 }
320 }
321 }
322 }
323
324 // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
325 // if crc provided, it will be written with the data verbatim (even if bogus)
326 // if not provided a valid crc will be computed from the data and written.
327 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
328 {
329 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
330 if(crc == 0) {
331 crc = update_crc16(crc, (idlo)&0xff);
332 crc = update_crc16(crc, (idlo>>8)&0xff);
333 crc = update_crc16(crc, (idlo>>16)&0xff);
334 crc = update_crc16(crc, (idlo>>24)&0xff);
335 crc = update_crc16(crc, (idhi)&0xff);
336 crc = update_crc16(crc, (idhi>>8)&0xff);
337 crc = update_crc16(crc, (idhi>>16)&0xff);
338 crc = update_crc16(crc, (idhi>>24)&0xff);
339 }
340 Dbprintf("Writing to tag: %x%08x, crc=%x", (unsigned int) idhi, (unsigned int) idlo, crc);
341
342 // TI tags charge at 134.2Khz
343 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
344 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
345 // connects to SSP_DIN and the SSP_DOUT logic level controls
346 // whether we're modulating the antenna (high)
347 // or listening to the antenna (low)
348 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
349 StartTicks();
350
351 LED_A_ON();
352
353 // steal this pin from the SSP and use it to control the modulation
354 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
355 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
356
357 // writing algorithm:
358 // a high bit consists of a field off for 1ms and field on for 1ms
359 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
360 // initiate a charge time of 50ms (field on) then immediately start writing bits
361 // start by writing 0xBB (keyword) and 0xEB (password)
362 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
363 // finally end with 0x0300 (write frame)
364 // all data is sent lsb first
365 // finish with 50ms programming time
366
367 // modulate antenna
368 HIGH(GPIO_SSC_DOUT);
369 WaitMS(50); // charge time
370
371 WriteTIbyte(0xbb); // keyword
372 WriteTIbyte(0xeb); // password
373 WriteTIbyte( (idlo )&0xff );
374 WriteTIbyte( (idlo>>8 )&0xff );
375 WriteTIbyte( (idlo>>16)&0xff );
376 WriteTIbyte( (idlo>>24)&0xff );
377 WriteTIbyte( (idhi )&0xff );
378 WriteTIbyte( (idhi>>8 )&0xff );
379 WriteTIbyte( (idhi>>16)&0xff );
380 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
381 WriteTIbyte( (crc )&0xff ); // crc lo
382 WriteTIbyte( (crc>>8 )&0xff ); // crc hi
383 WriteTIbyte(0x00); // write frame lo
384 WriteTIbyte(0x03); // write frame hi
385 HIGH(GPIO_SSC_DOUT);
386 WaitMS(50); // programming time
387
388 LED_A_OFF();
389
390 // get TI tag data into the buffer
391 AcquireTiType();
392
393 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
394 DbpString("Now use `lf ti read` to check");
395 StopTicks();
396 }
397
398 void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
399 {
400 int i = 0;
401 uint8_t *buf = BigBuf_get_addr();
402
403 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
404 //FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
405 //FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
406 //FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_TOGGLE_MODE );
407
408 // set frequency, get values from 'lf config' command
409 sample_config *sc = getSamplingConfig();
410
411 if ( (sc->divisor == 1) || (sc->divisor < 0) || (sc->divisor > 255) )
412 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
413 else if (sc->divisor == 0)
414 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
415 else
416 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
417
418 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
419
420 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
421 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
422 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
423
424 // power on antenna
425 OPEN_COIL();
426 // charge time
427 WaitMS(50);
428
429 for(;;) {
430 WDT_HIT();
431
432 if (ledcontrol) LED_D_ON();
433
434 // wait until SSC_CLK goes HIGH
435 // used as a simple detection of a reader field?
436 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
437 WDT_HIT();
438 if ( usb_poll_validate_length() || BUTTON_PRESS() )
439 goto OUT;
440 }
441
442 if(buf[i])
443 OPEN_COIL();
444 else
445 SHORT_COIL();
446
447 //wait until SSC_CLK goes LOW
448 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
449 WDT_HIT();
450 if ( usb_poll_validate_length() || BUTTON_PRESS() )
451 goto OUT;
452 }
453
454 i++;
455 if(i == period) {
456 i = 0;
457 if (gap) {
458 WDT_HIT();
459 SHORT_COIL();
460 SpinDelayUs(gap);
461 }
462 }
463
464 if (ledcontrol) LED_D_OFF();
465 }
466 OUT:
467 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
468 LED_D_OFF();
469 DbpString("Simulation stopped");
470 return;
471 }
472
473 #define DEBUG_FRAME_CONTENTS 1
474 void SimulateTagLowFrequencyBidir(int divisor, int t0)
475 {
476 }
477
478 // compose fc/8 fc/10 waveform (FSK2)
479 static void fc(int c, int *n)
480 {
481 uint8_t *dest = BigBuf_get_addr();
482 int idx;
483
484 // for when we want an fc8 pattern every 4 logical bits
485 if(c==0) {
486 dest[((*n)++)]=1;
487 dest[((*n)++)]=1;
488 dest[((*n)++)]=1;
489 dest[((*n)++)]=1;
490 dest[((*n)++)]=0;
491 dest[((*n)++)]=0;
492 dest[((*n)++)]=0;
493 dest[((*n)++)]=0;
494 }
495
496 // an fc/8 encoded bit is a bit pattern of 11110000 x6 = 48 samples
497 if(c==8) {
498 for (idx=0; idx<6; idx++) {
499 dest[((*n)++)]=1;
500 dest[((*n)++)]=1;
501 dest[((*n)++)]=1;
502 dest[((*n)++)]=1;
503 dest[((*n)++)]=0;
504 dest[((*n)++)]=0;
505 dest[((*n)++)]=0;
506 dest[((*n)++)]=0;
507 }
508 }
509
510 // an fc/10 encoded bit is a bit pattern of 1111100000 x5 = 50 samples
511 if(c==10) {
512 for (idx=0; idx<5; idx++) {
513 dest[((*n)++)]=1;
514 dest[((*n)++)]=1;
515 dest[((*n)++)]=1;
516 dest[((*n)++)]=1;
517 dest[((*n)++)]=1;
518 dest[((*n)++)]=0;
519 dest[((*n)++)]=0;
520 dest[((*n)++)]=0;
521 dest[((*n)++)]=0;
522 dest[((*n)++)]=0;
523 }
524 }
525 }
526 // compose fc/X fc/Y waveform (FSKx)
527 static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt)
528 {
529 uint8_t *dest = BigBuf_get_addr();
530 uint8_t halfFC = fc/2;
531 uint8_t wavesPerClock = clock/fc;
532 uint8_t mod = clock % fc; //modifier
533 uint8_t modAdj = fc/mod; //how often to apply modifier
534 bool modAdjOk = !(fc % mod); //if (fc % mod==0) modAdjOk=TRUE;
535 // loop through clock - step field clock
536 for (uint8_t idx=0; idx < wavesPerClock; idx++){
537 // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave)
538 memset(dest+(*n), 0, fc-halfFC); //in case of odd number use extra here
539 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
540 *n += fc;
541 }
542 if (mod>0) (*modCnt)++;
543 if ((mod>0) && modAdjOk){ //fsk2
544 if ((*modCnt % modAdj) == 0){ //if 4th 8 length wave in a rf/50 add extra 8 length wave
545 memset(dest+(*n), 0, fc-halfFC);
546 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
547 *n += fc;
548 }
549 }
550 if (mod>0 && !modAdjOk){ //fsk1
551 memset(dest+(*n), 0, mod-(mod/2));
552 memset(dest+(*n)+(mod-(mod/2)), 1, mod/2);
553 *n += mod;
554 }
555 }
556
557 // prepare a waveform pattern in the buffer based on the ID given then
558 // simulate a HID tag until the button is pressed
559 void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
560 {
561 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
562 set_tracing(FALSE);
563
564 int n = 0, i = 0;
565 /*
566 HID tag bitstream format
567 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
568 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
569 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
570 A fc8 is inserted before every 4 bits
571 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
572 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
573 */
574
575 if (hi > 0xFFF) {
576 DbpString("Tags can only have 44 bits. - USE lf simfsk for larger tags");
577 return;
578 }
579 fc(0,&n);
580 // special start of frame marker containing invalid bit sequences
581 fc(8, &n); fc(8, &n); // invalid
582 fc(8, &n); fc(10, &n); // logical 0
583 fc(10, &n); fc(10, &n); // invalid
584 fc(8, &n); fc(10, &n); // logical 0
585
586 WDT_HIT();
587 // manchester encode bits 43 to 32
588 for (i=11; i>=0; i--) {
589 if ((i%4)==3) fc(0,&n);
590 if ((hi>>i)&1) {
591 fc(10, &n); fc(8, &n); // low-high transition
592 } else {
593 fc(8, &n); fc(10, &n); // high-low transition
594 }
595 }
596
597 WDT_HIT();
598 // manchester encode bits 31 to 0
599 for (i=31; i>=0; i--) {
600 if ((i%4)==3) fc(0,&n);
601 if ((lo>>i)&1) {
602 fc(10, &n); fc(8, &n); // low-high transition
603 } else {
604 fc(8, &n); fc(10, &n); // high-low transition
605 }
606 }
607 WDT_HIT();
608
609 if (ledcontrol) LED_A_ON();
610 SimulateTagLowFrequency(n, 0, ledcontrol);
611 if (ledcontrol) LED_A_OFF();
612 }
613
614 // prepare a waveform pattern in the buffer based on the ID given then
615 // simulate a FSK tag until the button is pressed
616 // arg1 contains fcHigh and fcLow, arg2 contains invert and clock
617 void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
618 {
619 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
620
621 // free eventually allocated BigBuf memory
622 BigBuf_free(); BigBuf_Clear_ext(false);
623 clear_trace();
624 set_tracing(FALSE);
625
626 int ledcontrol = 1, n = 0, i = 0;
627 uint8_t fcHigh = arg1 >> 8;
628 uint8_t fcLow = arg1 & 0xFF;
629 uint16_t modCnt = 0;
630 uint8_t clk = arg2 & 0xFF;
631 uint8_t invert = (arg2 >> 8) & 1;
632
633 for (i=0; i<size; i++){
634
635 if (BitStream[i] == invert)
636 fcAll(fcLow, &n, clk, &modCnt);
637 else
638 fcAll(fcHigh, &n, clk, &modCnt);
639 }
640 WDT_HIT();
641
642 Dbprintf("Simulating with fcHigh: %d, fcLow: %d, clk: %d, invert: %d, n: %d", fcHigh, fcLow, clk, invert, n);
643
644 if (ledcontrol) LED_A_ON();
645 SimulateTagLowFrequency(n, 0, ledcontrol);
646 if (ledcontrol) LED_A_OFF();
647 }
648
649 // compose ask waveform for one bit(ASK)
650 static void askSimBit(uint8_t c, int *n, uint8_t clock, uint8_t manchester)
651 {
652 uint8_t *dest = BigBuf_get_addr();
653 uint8_t halfClk = clock/2;
654 // c = current bit 1 or 0
655 if (manchester==1){
656 memset(dest+(*n), c, halfClk);
657 memset(dest+(*n) + halfClk, c^1, halfClk);
658 } else {
659 memset(dest+(*n), c, clock);
660 }
661 *n += clock;
662 }
663
664 static void biphaseSimBit(uint8_t c, int *n, uint8_t clock, uint8_t *phase)
665 {
666 uint8_t *dest = BigBuf_get_addr();
667 uint8_t halfClk = clock/2;
668 if (c){
669 memset(dest+(*n), c ^ 1 ^ *phase, halfClk);
670 memset(dest+(*n) + halfClk, c ^ *phase, halfClk);
671 } else {
672 memset(dest+(*n), c ^ *phase, clock);
673 *phase ^= 1;
674 }
675 *n += clock;
676 }
677
678 static void stAskSimBit(int *n, uint8_t clock) {
679 uint8_t *dest = BigBuf_get_addr();
680 uint8_t halfClk = clock/2;
681 //ST = .5 high .5 low 1.5 high .5 low 1 high
682 memset(dest+(*n), 1, halfClk);
683 memset(dest+(*n) + halfClk, 0, halfClk);
684 memset(dest+(*n) + clock, 1, clock + halfClk);
685 memset(dest+(*n) + clock*2 + halfClk, 0, halfClk);
686 memset(dest+(*n) + clock*3, 1, clock);
687 *n += clock*4;
688 }
689
690 // args clock, ask/man or askraw, invert, transmission separator
691 void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
692 {
693 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
694 set_tracing(FALSE);
695
696 int ledcontrol = 1, n = 0, i = 0;
697 uint8_t clk = (arg1 >> 8) & 0xFF;
698 uint8_t encoding = arg1 & 0xFF;
699 uint8_t separator = arg2 & 1;
700 uint8_t invert = (arg2 >> 8) & 1;
701
702 if (encoding == 2){ //biphase
703 uint8_t phase = 0;
704 for (i=0; i<size; i++){
705 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
706 }
707 if (phase == 1) { //run a second set inverted to keep phase in check
708 for (i=0; i<size; i++){
709 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
710 }
711 }
712 } else { // ask/manchester || ask/raw
713 for (i=0; i<size; i++){
714 askSimBit(BitStream[i]^invert, &n, clk, encoding);
715 }
716 if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
717 for (i=0; i<size; i++){
718 askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
719 }
720 }
721 }
722 if (separator==1 && encoding == 1)
723 stAskSimBit(&n, clk);
724 else if (separator==1)
725 Dbprintf("sorry but separator option not yet available");
726
727 WDT_HIT();
728
729 Dbprintf("Simulating with clk: %d, invert: %d, encoding: %d, separator: %d, n: %d",clk, invert, encoding, separator, n);
730
731 if (ledcontrol) LED_A_ON();
732 SimulateTagLowFrequency(n, 0, ledcontrol);
733 if (ledcontrol) LED_A_OFF();
734 }
735
736 //carrier can be 2,4 or 8
737 static void pskSimBit(uint8_t waveLen, int *n, uint8_t clk, uint8_t *curPhase, bool phaseChg)
738 {
739 uint8_t *dest = BigBuf_get_addr();
740 uint8_t halfWave = waveLen/2;
741 //uint8_t idx;
742 int i = 0;
743 if (phaseChg){
744 // write phase change
745 memset(dest+(*n), *curPhase^1, halfWave);
746 memset(dest+(*n) + halfWave, *curPhase, halfWave);
747 *n += waveLen;
748 *curPhase ^= 1;
749 i += waveLen;
750 }
751 //write each normal clock wave for the clock duration
752 for (; i < clk; i+=waveLen){
753 memset(dest+(*n), *curPhase, halfWave);
754 memset(dest+(*n) + halfWave, *curPhase^1, halfWave);
755 *n += waveLen;
756 }
757 }
758
759 // args clock, carrier, invert,
760 void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
761 {
762 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
763 set_tracing(FALSE);
764
765 int ledcontrol = 1, n = 0, i = 0;
766 uint8_t clk = arg1 >> 8;
767 uint8_t carrier = arg1 & 0xFF;
768 uint8_t invert = arg2 & 0xFF;
769 uint8_t curPhase = 0;
770 for (i=0; i<size; i++){
771 if (BitStream[i] == curPhase){
772 pskSimBit(carrier, &n, clk, &curPhase, FALSE);
773 } else {
774 pskSimBit(carrier, &n, clk, &curPhase, TRUE);
775 }
776 }
777
778 WDT_HIT();
779
780 Dbprintf("Simulating with Carrier: %d, clk: %d, invert: %d, n: %d",carrier, clk, invert, n);
781
782 if (ledcontrol) LED_A_ON();
783 SimulateTagLowFrequency(n, 0, ledcontrol);
784 if (ledcontrol) LED_A_OFF();
785 }
786
787 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
788 void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
789 {
790 uint8_t *dest = BigBuf_get_addr();
791 size_t size = 0;
792 uint32_t hi2=0, hi=0, lo=0;
793 int idx=0;
794 // Configure to go in 125Khz listen mode
795 LFSetupFPGAForADC(95, true);
796
797 //clear read buffer
798 BigBuf_Clear_keep_EM();
799
800 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
801
802 WDT_HIT();
803 if (ledcontrol) LED_A_ON();
804
805 DoAcquisition_default(0, true);
806 // FSK demodulator
807 size = 50*128*2; //big enough to catch 2 sequences of largest format
808 idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo);
809
810 if (idx>0 && lo>0 && (size==96 || size==192)){
811 // go over previously decoded manchester data and decode into usable tag ID
812 if (hi2 != 0){ //extra large HID tags 88/192 bits
813 Dbprintf("TAG ID: %x%08x%08x (%d)",
814 (unsigned int) hi2,
815 (unsigned int) hi,
816 (unsigned int) lo,
817 (unsigned int) (lo>>1) & 0xFFFF
818 );
819 } else { //standard HID tags 44/96 bits
820 uint8_t bitlen = 0;
821 uint32_t fc = 0;
822 uint32_t cardnum = 0;
823
824 if (((hi>>5)&1) == 1){//if bit 38 is set then < 37 bit format is used
825 uint32_t lo2=0;
826 lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
827 uint8_t idx3 = 1;
828 while(lo2 > 1){ //find last bit set to 1 (format len bit)
829 lo2=lo2 >> 1;
830 idx3++;
831 }
832 bitlen = idx3+19;
833 fc =0;
834 cardnum=0;
835 if(bitlen == 26){
836 cardnum = (lo>>1)&0xFFFF;
837 fc = (lo>>17)&0xFF;
838 }
839 if(bitlen == 37){
840 cardnum = (lo>>1)&0x7FFFF;
841 fc = ((hi&0xF)<<12)|(lo>>20);
842 }
843 if(bitlen == 34){
844 cardnum = (lo>>1)&0xFFFF;
845 fc= ((hi&1)<<15)|(lo>>17);
846 }
847 if(bitlen == 35){
848 cardnum = (lo>>1)&0xFFFFF;
849 fc = ((hi&1)<<11)|(lo>>21);
850 }
851 }
852 else { //if bit 38 is not set then 37 bit format is used
853 bitlen= 37;
854 fc =0;
855 cardnum=0;
856 if(bitlen==37){
857 cardnum = (lo>>1)&0x7FFFF;
858 fc = ((hi&0xF)<<12)|(lo>>20);
859 }
860 }
861 Dbprintf("TAG ID: %x%08x (%d) - Format Len: %dbit - FC: %d - Card: %d",
862 (unsigned int) hi,
863 (unsigned int) lo,
864 (unsigned int) (lo>>1) & 0xFFFF,
865 (unsigned int) bitlen,
866 (unsigned int) fc,
867 (unsigned int) cardnum);
868 }
869 if (findone){
870 if (ledcontrol) LED_A_OFF();
871 *high = hi;
872 *low = lo;
873 break;
874 }
875 // reset
876 }
877 hi2 = hi = lo = idx = 0;
878 WDT_HIT();
879 }
880 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
881 DbpString("Stopped");
882 if (ledcontrol) LED_A_OFF();
883 }
884
885 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
886 void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
887 {
888 uint8_t *dest = BigBuf_get_addr();
889 size_t size;
890 int idx=0;
891 //clear read buffer
892 BigBuf_Clear_keep_EM();
893 // Configure to go in 125Khz listen mode
894 LFSetupFPGAForADC(95, true);
895
896 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
897
898 WDT_HIT();
899 if (ledcontrol) LED_A_ON();
900
901 DoAcquisition_default(-1,true);
902 // FSK demodulator
903 size = 50*128*2; //big enough to catch 2 sequences of largest format
904 idx = AWIDdemodFSK(dest, &size);
905
906 if (idx<=0 || size!=96) continue;
907 // Index map
908 // 0 10 20 30 40 50 60
909 // | | | | | | |
910 // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96
911 // -----------------------------------------------------------------------------
912 // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1
913 // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96
914 // |---26 bit---| |-----117----||-------------142-------------|
915 // b = format bit len, o = odd parity of last 3 bits
916 // f = facility code, c = card number
917 // w = wiegand parity
918 // (26 bit format shown)
919
920 //get raw ID before removing parities
921 uint32_t rawLo = bytebits_to_byte(dest+idx+64,32);
922 uint32_t rawHi = bytebits_to_byte(dest+idx+32,32);
923 uint32_t rawHi2 = bytebits_to_byte(dest+idx,32);
924
925 size = removeParity(dest, idx+8, 4, 1, 88);
926 if (size != 66) continue;
927
928 // Index map
929 // 0 10 20 30 40 50 60
930 // | | | | | | |
931 // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456
932 // -----------------------------------------------------------------------------
933 // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000
934 // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
935 // |26 bit| |-117--| |-----142------|
936 //
937 // 00110010 0 0000011111010000000000000001000100101000100001111 0 00000000
938 // bbbbbbbb w ffffffffffffffffccccccccccccccccccccccccccccccccc w xxxxxxxx
939 // |50 bit| |----4000------||-----------2248975-------------|
940 //
941 // b = format bit len, o = odd parity of last 3 bits
942 // f = facility code, c = card number
943 // w = wiegand parity
944
945 uint32_t fc = 0;
946 uint32_t cardnum = 0;
947 uint32_t code1 = 0;
948 uint32_t code2 = 0;
949 uint8_t fmtLen = bytebits_to_byte(dest,8);
950 switch(fmtLen) {
951 case 26:
952 fc = bytebits_to_byte(dest + 9, 8);
953 cardnum = bytebits_to_byte(dest + 17, 16);
954 code1 = bytebits_to_byte(dest + 8,fmtLen);
955 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %u - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, rawHi2, rawHi, rawLo);
956 break;
957 case 50:
958 fc = bytebits_to_byte(dest + 9, 16);
959 cardnum = bytebits_to_byte(dest + 25, 32);
960 code1 = bytebits_to_byte(dest + 8, (fmtLen-32) );
961 code2 = bytebits_to_byte(dest + 8 + (fmtLen-32), 32);
962 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %u - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, code2, rawHi2, rawHi, rawLo);
963 break;
964 default:
965 if (fmtLen > 32 ) {
966 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
967 code1 = bytebits_to_byte(dest+8,fmtLen-32);
968 code2 = bytebits_to_byte(dest+8+(fmtLen-32),32);
969 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%u) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo);
970 } else {
971 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
972 code1 = bytebits_to_byte(dest+8,fmtLen);
973 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%u) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo);
974 }
975 break;
976 }
977 if (findone)
978 break;
979
980 idx = 0;
981 WDT_HIT();
982 }
983
984 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
985 DbpString("Stopped");
986 if (ledcontrol) LED_A_OFF();
987 }
988
989 void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
990 {
991 uint8_t *dest = BigBuf_get_addr();
992
993 size_t size=0, idx=0;
994 int clk=0, invert=0, errCnt=0, maxErr=20;
995 uint32_t hi=0;
996 uint64_t lo=0;
997 //clear read buffer
998 BigBuf_Clear_keep_EM();
999 // Configure to go in 125Khz listen mode
1000 LFSetupFPGAForADC(95, true);
1001
1002 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1003
1004 WDT_HIT();
1005 if (ledcontrol) LED_A_ON();
1006
1007 DoAcquisition_default(-1,true);
1008 size = BigBuf_max_traceLen();
1009 //askdemod and manchester decode
1010 if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format
1011 errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
1012 WDT_HIT();
1013
1014 if (errCnt<0) continue;
1015
1016 errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo);
1017 if (errCnt){
1018 if (size>64){
1019 Dbprintf("EM XL TAG ID: %06x%08x%08x - (%05d_%03d_%08d)",
1020 hi,
1021 (uint32_t)(lo>>32),
1022 (uint32_t)lo,
1023 (uint32_t)(lo&0xFFFF),
1024 (uint32_t)((lo>>16LL) & 0xFF),
1025 (uint32_t)(lo & 0xFFFFFF));
1026 } else {
1027 Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)",
1028 (uint32_t)(lo>>32),
1029 (uint32_t)lo,
1030 (uint32_t)(lo&0xFFFF),
1031 (uint32_t)((lo>>16LL) & 0xFF),
1032 (uint32_t)(lo & 0xFFFFFF));
1033 }
1034
1035 if (findone){
1036 if (ledcontrol) LED_A_OFF();
1037 *high=lo>>32;
1038 *low=lo & 0xFFFFFFFF;
1039 break;
1040 }
1041 }
1042 WDT_HIT();
1043 hi = lo = size = idx = 0;
1044 clk = invert = errCnt = 0;
1045 }
1046 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1047 DbpString("Stopped");
1048 if (ledcontrol) LED_A_OFF();
1049 }
1050
1051 void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
1052 {
1053 uint8_t *dest = BigBuf_get_addr();
1054 int idx=0;
1055 uint32_t code=0, code2=0;
1056 uint8_t version=0;
1057 uint8_t facilitycode=0;
1058 uint16_t number=0;
1059 uint8_t crc = 0;
1060 uint16_t calccrc = 0;
1061
1062 //clear read buffer
1063 BigBuf_Clear_keep_EM();
1064
1065 // Configure to go in 125Khz listen mode
1066 LFSetupFPGAForADC(95, true);
1067
1068 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1069 WDT_HIT();
1070 if (ledcontrol) LED_A_ON();
1071 DoAcquisition_default(-1,true);
1072 //fskdemod and get start index
1073 WDT_HIT();
1074 idx = IOdemodFSK(dest, BigBuf_max_traceLen());
1075 if (idx<0) continue;
1076 //valid tag found
1077
1078 //Index map
1079 //0 10 20 30 40 50 60
1080 //| | | | | | |
1081 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
1082 //-----------------------------------------------------------------------------
1083 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 checksum 11
1084 //
1085 //Checksum:
1086 //00000000 0 11110000 1 11100000 1 00000001 1 00000011 1 10110110 1 01110101 11
1087 //preamble F0 E0 01 03 B6 75
1088 // How to calc checksum,
1089 // http://www.proxmark.org/forum/viewtopic.php?id=364&p=6
1090 // F0 + E0 + 01 + 03 + B6 = 28A
1091 // 28A & FF = 8A
1092 // FF - 8A = 75
1093 // Checksum: 0x75
1094 //XSF(version)facility:codeone+codetwo
1095 //Handle the data
1096 // if(findone){ //only print binary if we are doing one
1097 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
1098 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
1099 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
1100 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
1101 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
1102 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
1103 // Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
1104 // }
1105 code = bytebits_to_byte(dest+idx,32);
1106 code2 = bytebits_to_byte(dest+idx+32,32);
1107 version = bytebits_to_byte(dest+idx+27,8); //14,4
1108 facilitycode = bytebits_to_byte(dest+idx+18,8);
1109 number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9
1110
1111 crc = bytebits_to_byte(dest+idx+54,8);
1112 for (uint8_t i=1; i<6; ++i)
1113 calccrc += bytebits_to_byte(dest+idx+9*i,8);
1114 calccrc &= 0xff;
1115 calccrc = 0xff - calccrc;
1116
1117 char *crcStr = (crc == calccrc) ? "ok":"!crc";
1118
1119 Dbprintf("IO Prox XSF(%02d)%02x:%05d (%08x%08x) [%02x %s]",version,facilitycode,number,code,code2, crc, crcStr);
1120 // if we're only looking for one tag
1121 if (findone){
1122 if (ledcontrol) LED_A_OFF();
1123 *high=code;
1124 *low=code2;
1125 break;
1126 }
1127 code=code2=0;
1128 version=facilitycode=0;
1129 number=0;
1130 idx=0;
1131
1132 WDT_HIT();
1133 }
1134 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1135 DbpString("Stopped");
1136 if (ledcontrol) LED_A_OFF();
1137 }
1138
1139 /*------------------------------
1140 * T5555/T5557/T5567/T5577 routines
1141 *------------------------------
1142 * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
1143 *
1144 * Relevant communication times in microsecond
1145 * To compensate antenna falling times shorten the write times
1146 * and enlarge the gap ones.
1147 * Q5 tags seems to have issues when these values changes.
1148 */
1149
1150 #define START_GAP 50*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (15fc)
1151 #define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (10fc)
1152 #define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (24fc)
1153 #define WRITE_1 54*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (56fc) 432 for T55x7; 448 for E5550
1154 #define READ_GAP 15*8
1155
1156 // VALUES TAKEN FROM EM4x function: SendForward
1157 // START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
1158 // WRITE_GAP = 128; (16*8)
1159 // WRITE_1 = 256 32*8; (32*8)
1160
1161 // These timings work for 4469/4269/4305 (with the 55*8 above)
1162 // WRITE_0 = 23*8 , 9*8
1163
1164 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
1165 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
1166 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
1167 // T0 = TIMER_CLOCK1 / 125000 = 192
1168 // 1 Cycle = 8 microseconds(us) == 1 field clock
1169
1170 // new timer:
1171 // = 1us = 1.5ticks
1172 // 1fc = 8us = 12ticks
1173 void TurnReadLFOn(uint32_t delay) {
1174 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1175
1176 // measure antenna strength.
1177 //int adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
1178
1179 // Give it a bit of time for the resonant antenna to settle.
1180 WaitUS(delay);
1181 }
1182
1183 // Write one bit to card
1184 void T55xxWriteBit(int bit) {
1185 if (!bit)
1186 TurnReadLFOn(WRITE_0);
1187 else
1188 TurnReadLFOn(WRITE_1);
1189 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1190 WaitUS(WRITE_GAP);
1191 }
1192
1193 // Send T5577 reset command then read stream (see if we can identify the start of the stream)
1194 void T55xxResetRead(void) {
1195 LED_A_ON();
1196 //clear buffer now so it does not interfere with timing later
1197 BigBuf_Clear_keep_EM();
1198
1199 // Set up FPGA, 125kHz
1200 LFSetupFPGAForADC(95, true);
1201
1202 // Trigger T55x7 in mode.
1203 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1204 WaitUS(START_GAP);
1205
1206 // reset tag - op code 00
1207 T55xxWriteBit(0);
1208 T55xxWriteBit(0);
1209
1210 // Turn field on to read the response
1211 TurnReadLFOn(READ_GAP);
1212
1213 // Acquisition
1214 doT55x7Acquisition(BigBuf_max_traceLen());
1215
1216 // Turn the field off
1217 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1218 cmd_send(CMD_ACK,0,0,0,0,0);
1219 LED_A_OFF();
1220 }
1221
1222 // Write one card block in page 0, no lock
1223 void T55xxWriteBlockExt(uint32_t Data, uint8_t Block, uint32_t Pwd, uint8_t arg) {
1224 LED_A_ON();
1225 bool PwdMode = arg & 0x1;
1226 uint8_t Page = (arg & 0x2)>>1;
1227 uint32_t i = 0;
1228
1229 // Set up FPGA, 125kHz
1230 LFSetupFPGAForADC(95, true);
1231
1232 // Trigger T55x7 in mode.
1233 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1234 WaitUS(START_GAP);
1235
1236 // Opcode 10
1237 T55xxWriteBit(1);
1238 T55xxWriteBit(Page); //Page 0
1239 if (PwdMode){
1240 // Send Pwd
1241 for (i = 0x80000000; i != 0; i >>= 1)
1242 T55xxWriteBit(Pwd & i);
1243 }
1244 // Send Lock bit
1245 T55xxWriteBit(0);
1246
1247 // Send Data
1248 for (i = 0x80000000; i != 0; i >>= 1)
1249 T55xxWriteBit(Data & i);
1250
1251 // Send Block number
1252 for (i = 0x04; i != 0; i >>= 1)
1253 T55xxWriteBit(Block & i);
1254
1255 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1256 // so wait a little more)
1257 TurnReadLFOn(20 * 1000);
1258
1259 //could attempt to do a read to confirm write took
1260 // as the tag should repeat back the new block
1261 // until it is reset, but to confirm it we would
1262 // need to know the current block 0 config mode
1263
1264 // turn field off
1265 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1266 LED_A_OFF();
1267 }
1268
1269 // Write one card block in page 0, no lock
1270 void T55xxWriteBlock(uint32_t Data, uint8_t Block, uint32_t Pwd, uint8_t arg) {
1271 T55xxWriteBlockExt(Data, Block, Pwd, arg);
1272 cmd_send(CMD_ACK,0,0,0,0,0);
1273 }
1274
1275 // Read one card block in page [page]
1276 void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
1277 LED_A_ON();
1278 bool PwdMode = arg0 & 0x1;
1279 uint8_t Page = (arg0 & 0x2) >> 1;
1280 uint32_t i = 0;
1281 bool RegReadMode = (Block == 0xFF);
1282
1283 //clear buffer now so it does not interfere with timing later
1284 BigBuf_Clear_keep_EM();
1285
1286 //make sure block is at max 7
1287 Block &= 0x7;
1288
1289 // Set up FPGA, 125kHz to power up the tag
1290 LFSetupFPGAForADC(95, true);
1291 //SpinDelay(3);
1292
1293 // Trigger T55x7 Direct Access Mode with start gap
1294 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1295 WaitUS(START_GAP);
1296
1297 // Opcode 1[page]
1298 T55xxWriteBit(1);
1299 T55xxWriteBit(Page); //Page 0
1300
1301 if (PwdMode){
1302 // Send Pwd
1303 for (i = 0x80000000; i != 0; i >>= 1)
1304 T55xxWriteBit(Pwd & i);
1305 }
1306 // Send a zero bit separation
1307 T55xxWriteBit(0);
1308
1309 // Send Block number (if direct access mode)
1310 if (!RegReadMode)
1311 for (i = 0x04; i != 0; i >>= 1)
1312 T55xxWriteBit(Block & i);
1313
1314 // Turn field on to read the response
1315 TurnReadLFOn(READ_GAP);
1316
1317 // Acquisition
1318 doT55x7Acquisition(7679);
1319
1320 // Turn the field off
1321 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1322 cmd_send(CMD_ACK,0,0,0,0,0);
1323 LED_A_OFF();
1324 }
1325
1326 void T55xxWakeUp(uint32_t Pwd){
1327 LED_B_ON();
1328 uint32_t i = 0;
1329
1330 // Set up FPGA, 125kHz
1331 LFSetupFPGAForADC(95, true);
1332
1333 // Trigger T55x7 Direct Access Mode
1334 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1335 WaitUS(START_GAP);
1336
1337 // Opcode 10
1338 T55xxWriteBit(1);
1339 T55xxWriteBit(0); //Page 0
1340
1341 // Send Pwd
1342 for (i = 0x80000000; i != 0; i >>= 1)
1343 T55xxWriteBit(Pwd & i);
1344
1345 // Turn and leave field on to let the begin repeating transmission
1346 TurnReadLFOn(20*1000);
1347 }
1348
1349 /*-------------- Cloning routines -----------*/
1350 void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
1351 // write last block first and config block last (if included)
1352 for (uint8_t i = numblocks+startblock; i > startblock; i--)
1353 T55xxWriteBlockExt(blockdata[i-1], i-1, 0, 0);
1354 }
1355
1356 // Copy HID id to card and setup block 0 config
1357 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
1358 uint32_t data[] = {0,0,0,0,0,0,0};
1359 uint8_t last_block = 0;
1360
1361 if (longFMT){
1362 // Ensure no more than 84 bits supplied
1363 if (hi2 > 0xFFFFF) {
1364 DbpString("Tags can only have 84 bits.");
1365 return;
1366 }
1367 // Build the 6 data blocks for supplied 84bit ID
1368 last_block = 6;
1369 // load preamble (1D) & long format identifier (9E manchester encoded)
1370 data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
1371 // load raw id from hi2, hi, lo to data blocks (manchester encoded)
1372 data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
1373 data[3] = manchesterEncode2Bytes(hi >> 16);
1374 data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
1375 data[5] = manchesterEncode2Bytes(lo >> 16);
1376 data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
1377 } else {
1378 // Ensure no more than 44 bits supplied
1379 if (hi > 0xFFF) {
1380 DbpString("Tags can only have 44 bits.");
1381 return;
1382 }
1383 // Build the 3 data blocks for supplied 44bit ID
1384 last_block = 3;
1385 // load preamble
1386 data[1] = 0x1D000000 | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
1387 data[2] = manchesterEncode2Bytes(lo >> 16);
1388 data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
1389 }
1390 // load chip config block
1391 data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
1392
1393 //TODO add selection of chip for Q5 or T55x7
1394 // data[0] = (((50-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
1395
1396 LED_D_ON();
1397 WriteT55xx(data, 0, last_block+1);
1398 LED_D_OFF();
1399 }
1400
1401 void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
1402 uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1403 //TODO add selection of chip for Q5 or T55x7
1404 //t5555 (Q5) BITRATE = (RF-2)/2 (iceman)
1405 // data[0] = ( ((64-2)>>1) << T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 2 << T5555_MAXBLOCK_SHIFT;
1406
1407 LED_D_ON();
1408 // Program the data blocks for supplied ID
1409 // and the block 0 config
1410 WriteT55xx(data, 0, 3);
1411 LED_D_OFF();
1412 }
1413
1414 // Clone Indala 64-bit tag by UID to T55x7
1415 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
1416 //Program the 2 data blocks for supplied 64bit UID
1417 // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
1418 uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1419 //TODO add selection of chip for Q5 or T55x7
1420 // data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
1421
1422 WriteT55xx(data, 0, 3);
1423 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
1424 // T5567WriteBlock(0x603E1042,0);
1425 }
1426 // Clone Indala 224-bit tag by UID to T55x7
1427 void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
1428 //Program the 7 data blocks for supplied 224bit UID
1429 uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
1430 // and the block 0 for Indala224 format
1431 //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
1432 data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT);
1433 //TODO add selection of chip for Q5 or T55x7
1434 // data[0] = (((32-2)>>1) << T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 7 << T5555_MAXBLOCK_SHIFT;
1435 WriteT55xx(data, 0, 8);
1436 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
1437 // T5567WriteBlock(0x603E10E2,0);
1438 }
1439 // clone viking tag to T55xx
1440 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
1441 uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
1442 //t5555 (Q5) BITRATE = (RF-2)/2 (iceman)
1443 if (Q5) data[0] = (((32-2)>>1) << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
1444 // Program the data blocks for supplied ID and the block 0 config
1445 WriteT55xx(data, 0, 3);
1446 LED_D_OFF();
1447 cmd_send(CMD_ACK,0,0,0,0,0);
1448 }
1449
1450 // Define 9bit header for EM410x tags
1451 #define EM410X_HEADER 0x1FF
1452 #define EM410X_ID_LENGTH 40
1453
1454 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
1455 int i, id_bit;
1456 uint64_t id = EM410X_HEADER;
1457 uint64_t rev_id = 0; // reversed ID
1458 int c_parity[4]; // column parity
1459 int r_parity = 0; // row parity
1460 uint32_t clock = 0;
1461
1462 // Reverse ID bits given as parameter (for simpler operations)
1463 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1464 if (i < 32) {
1465 rev_id = (rev_id << 1) | (id_lo & 1);
1466 id_lo >>= 1;
1467 } else {
1468 rev_id = (rev_id << 1) | (id_hi & 1);
1469 id_hi >>= 1;
1470 }
1471 }
1472
1473 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1474 id_bit = rev_id & 1;
1475
1476 if (i % 4 == 0) {
1477 // Don't write row parity bit at start of parsing
1478 if (i)
1479 id = (id << 1) | r_parity;
1480 // Start counting parity for new row
1481 r_parity = id_bit;
1482 } else {
1483 // Count row parity
1484 r_parity ^= id_bit;
1485 }
1486
1487 // First elements in column?
1488 if (i < 4)
1489 // Fill out first elements
1490 c_parity[i] = id_bit;
1491 else
1492 // Count column parity
1493 c_parity[i % 4] ^= id_bit;
1494
1495 // Insert ID bit
1496 id = (id << 1) | id_bit;
1497 rev_id >>= 1;
1498 }
1499
1500 // Insert parity bit of last row
1501 id = (id << 1) | r_parity;
1502
1503 // Fill out column parity at the end of tag
1504 for (i = 0; i < 4; ++i)
1505 id = (id << 1) | c_parity[i];
1506
1507 // Add stop bit
1508 id <<= 1;
1509
1510 Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
1511 LED_D_ON();
1512
1513 // Write EM410x ID
1514 uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)};
1515
1516 clock = (card & 0xFF00) >> 8;
1517 clock = (clock == 0) ? 64 : clock;
1518 Dbprintf("Clock rate: %d", clock);
1519 if (card & 0xFF) { //t55x7
1520 clock = GetT55xxClockBit(clock);
1521 if (clock == 0) {
1522 Dbprintf("Invalid clock rate: %d", clock);
1523 return;
1524 }
1525 data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
1526 } else { //t5555 (Q5)
1527 // t5555 (Q5) BITRATE = (RF-2)/2 (iceman)
1528 data[0] = ( ((clock-2) >> 1) << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
1529 }
1530
1531 WriteT55xx(data, 0, 3);
1532
1533 LED_D_OFF();
1534 Dbprintf("Tag %s written with 0x%08x%08x\n",
1535 card ? "T55x7":"T5555",
1536 (uint32_t)(id >> 32),
1537 (uint32_t)id);
1538 }
1539
1540 //-----------------------------------
1541 // EM4469 / EM4305 routines
1542 //-----------------------------------
1543 // Below given command set.
1544 // Commands are including the even parity, binary mirrored
1545 #define FWD_CMD_LOGIN 0xC
1546 #define FWD_CMD_WRITE 0xA
1547 #define FWD_CMD_READ 0x9
1548 #define FWD_CMD_DISABLE 0x5
1549
1550 uint8_t forwardLink_data[64]; //array of forwarded bits
1551 uint8_t * forward_ptr; //ptr for forward message preparation
1552 uint8_t fwd_bit_sz; //forwardlink bit counter
1553 uint8_t * fwd_write_ptr; //forwardlink bit pointer
1554
1555 //====================================================================
1556 // prepares command bits
1557 // see EM4469 spec
1558 //====================================================================
1559 //--------------------------------------------------------------------
1560 // VALUES TAKEN FROM EM4x function: SendForward
1561 // START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
1562 // WRITE_GAP = 128; (16*8)
1563 // WRITE_1 = 256 32*8; (32*8)
1564
1565 // These timings work for 4469/4269/4305 (with the 55*8 above)
1566 // WRITE_0 = 23*8 , 9*8
1567
1568 uint8_t Prepare_Cmd( uint8_t cmd ) {
1569
1570 *forward_ptr++ = 0; //start bit
1571 *forward_ptr++ = 0; //second pause for 4050 code
1572
1573 *forward_ptr++ = cmd;
1574 cmd >>= 1;
1575 *forward_ptr++ = cmd;
1576 cmd >>= 1;
1577 *forward_ptr++ = cmd;
1578 cmd >>= 1;
1579 *forward_ptr++ = cmd;
1580
1581 return 6; //return number of emited bits
1582 }
1583
1584 //====================================================================
1585 // prepares address bits
1586 // see EM4469 spec
1587 //====================================================================
1588 uint8_t Prepare_Addr( uint8_t addr ) {
1589
1590 register uint8_t line_parity;
1591
1592 uint8_t i;
1593 line_parity = 0;
1594 for( i=0; i<6; i++ ) {
1595 *forward_ptr++ = addr;
1596 line_parity ^= addr;
1597 addr >>= 1;
1598 }
1599
1600 *forward_ptr++ = (line_parity & 1);
1601
1602 return 7; //return number of emited bits
1603 }
1604
1605 //====================================================================
1606 // prepares data bits intreleaved with parity bits
1607 // see EM4469 spec
1608 //====================================================================
1609 uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
1610
1611 register uint8_t line_parity;
1612 register uint8_t column_parity;
1613 register uint8_t i, j;
1614 register uint16_t data;
1615
1616 data = data_low;
1617 column_parity = 0;
1618
1619 for(i=0; i<4; i++) {
1620 line_parity = 0;
1621 for(j=0; j<8; j++) {
1622 line_parity ^= data;
1623 column_parity ^= (data & 1) << j;
1624 *forward_ptr++ = data;
1625 data >>= 1;
1626 }
1627 *forward_ptr++ = line_parity;
1628 if(i == 1)
1629 data = data_hi;
1630 }
1631
1632 for(j=0; j<8; j++) {
1633 *forward_ptr++ = column_parity;
1634 column_parity >>= 1;
1635 }
1636 *forward_ptr = 0;
1637
1638 return 45; //return number of emited bits
1639 }
1640
1641 //====================================================================
1642 // Forward Link send function
1643 // Requires: forwarLink_data filled with valid bits (1 bit per byte)
1644 // fwd_bit_count set with number of bits to be sent
1645 //====================================================================
1646 void SendForward(uint8_t fwd_bit_count) {
1647
1648 // iceman, 21.3us increments for the USclock verification.
1649 // 55FC * 8us == 440us / 21.3 === 20.65 steps. could be too short. Go for 56FC instead
1650 // 32FC * 8us == 256us / 21.3 == 12.018 steps. ok
1651 // 16FC * 8us == 128us / 21.3 == 6.009 steps. ok
1652
1653 #ifndef EM_START_GAP
1654 #define EM_START_GAP 60*8
1655 #endif
1656 #ifndef EM_ONE_GAP
1657 #define EM_ONE_GAP 32*8
1658 #endif
1659 #ifndef EM_ZERO_GAP
1660 # define EM_ZERO_GAP 16*8
1661 #endif
1662
1663 fwd_write_ptr = forwardLink_data;
1664 fwd_bit_sz = fwd_bit_count;
1665
1666 // Set up FPGA, 125kHz
1667 LFSetupFPGAForADC(95, true);
1668
1669 // force 1st mod pulse (start gap must be longer for 4305)
1670 fwd_bit_sz--; //prepare next bit modulation
1671 fwd_write_ptr++;
1672
1673 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1674 WaitUS(EM_START_GAP);
1675 TurnReadLFOn(16);
1676
1677 // now start writting with bitbanging the antenna.
1678 while(fwd_bit_sz-- > 0) { //prepare next bit modulation
1679 if(((*fwd_write_ptr++) & 1) == 1)
1680 WaitUS(EM_ONE_GAP);
1681 else {
1682 //These timings work for 4469/4269/4305
1683 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1684 WaitUS(20);
1685 TurnReadLFOn(12);
1686 }
1687 }
1688 }
1689
1690 void EM4xLogin(uint32_t pwd) {
1691 uint8_t len;
1692 forward_ptr = forwardLink_data;
1693 len = Prepare_Cmd( FWD_CMD_LOGIN );
1694 len += Prepare_Data( pwd & 0xFFFF, pwd >> 16 );
1695 SendForward(len);
1696 WaitMS(20); // no wait for login command.
1697 // should receive
1698 // 0000 1010 ok.
1699 // 0000 0001 fail
1700 }
1701
1702 void EM4xReadWord(uint8_t addr, uint32_t pwd, uint8_t usepwd) {
1703
1704 LED_A_ON();
1705 uint8_t len;
1706
1707 //clear buffer now so it does not interfere with timing later
1708 BigBuf_Clear_ext(false);
1709
1710 /* should we read answer from Logincommand?
1711 *
1712 * should receive
1713 * 0000 1010 ok.
1714 * 0000 0001 fail
1715 **/
1716 if (usepwd) EM4xLogin(pwd);
1717
1718 forward_ptr = forwardLink_data;
1719 len = Prepare_Cmd( FWD_CMD_READ );
1720 len += Prepare_Addr( addr );
1721
1722 SendForward(len);
1723
1724 WaitUS(400);
1725 // Now do the acquisition
1726 DoPartialAcquisition(20, true, 6000);
1727
1728 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1729 cmd_send(CMD_ACK,0,0,0,0,0);
1730 LED_A_OFF();
1731 }
1732
1733 void EM4xWriteWord(uint32_t flag, uint32_t data, uint32_t pwd) {
1734
1735 LED_A_ON();
1736
1737 bool usePwd = (flag & 0xF);
1738 uint8_t addr = (flag >> 8) & 0xFF;
1739 uint8_t len;
1740
1741 //clear buffer now so it does not interfere with timing later
1742 BigBuf_Clear_ext(false);
1743
1744 /* should we read answer from Logincommand?
1745 *
1746 * should receive
1747 * 0000 1010 ok.
1748 * 0000 0001 fail
1749 **/
1750 if (usePwd) EM4xLogin(pwd);
1751
1752 forward_ptr = forwardLink_data;
1753 len = Prepare_Cmd( FWD_CMD_WRITE );
1754 len += Prepare_Addr( addr );
1755 len += Prepare_Data( data & 0xFFFF, data >> 16 );
1756
1757 SendForward(len);
1758
1759 //Wait 20ms for write to complete?
1760 WaitMS(6);
1761
1762 //Capture response if one exists
1763 DoPartialAcquisition(20, true, 6000);
1764
1765 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1766 cmd_send(CMD_ACK,0,0,0,0,0);
1767 LED_A_OFF();
1768 }
1769
1770 /*
1771 Reading a COTAG.
1772
1773 COTAG needs the reader to send a startsequence and the card has an extreme slow datarate.
1774 because of this, we can "sample" the data signal but we interpreate it to Manchester direct.
1775
1776 READER START SEQUENCE:
1777 burst 800 us, gap 2.2 msecs
1778 burst 3.6 msecs gap 2.2 msecs
1779 burst 800 us gap 2.2 msecs
1780 pulse 3.6 msecs
1781
1782 This triggers a COTAG tag to response
1783 */
1784 void Cotag(uint32_t arg0) {
1785 #ifndef OFF
1786 # define OFF { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2035); }
1787 #endif
1788 #ifndef ON
1789 # define ON(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
1790 #endif
1791 uint8_t rawsignal = arg0 & 0xF;
1792
1793 LED_A_ON();
1794
1795 // Switching to LF image on FPGA. This might empty BigBuff
1796 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1797
1798 //clear buffer now so it does not interfere with timing later
1799 BigBuf_Clear_ext(false);
1800
1801 // Set up FPGA, 132kHz to power up the tag
1802 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89);
1803 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1804
1805 // Connect the A/D to the peak-detected low-frequency path.
1806 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1807
1808 // Now set up the SSC to get the ADC samples that are now streaming at us.
1809 FpgaSetupSsc();
1810
1811 // start clock - 1.5ticks is 1us
1812 StartTicks();
1813
1814 //send COTAG start pulse
1815 ON(740) OFF
1816 ON(3330) OFF
1817 ON(740) OFF
1818 ON(1000)
1819
1820 switch(rawsignal) {
1821 case 0: doCotagAcquisition(50000); break;
1822 case 1: doCotagAcquisitionManchester(); break;
1823 case 2: DoAcquisition_config(TRUE); break;
1824 }
1825
1826 // Turn the field off
1827 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1828 cmd_send(CMD_ACK,0,0,0,0,0);
1829 LED_A_OFF();
1830 }
1831
1832 /*
1833 * EM4305 support
1834 */
Impressum, Datenschutz