+
+// Copy HID id to card and setup block 0 config
+void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
+ uint32_t data[] = {0,0,0,0,0,0,0};
+ uint8_t last_block = 0;
+
+ if (longFMT){
+ // Ensure no more than 84 bits supplied
+ if (hi2 > 0xFFFFF) {
+ DbpString("Tags can only have 84 bits.");
+ return;
+ }
+ // Build the 6 data blocks for supplied 84bit ID
+ last_block = 6;
+ // load preamble (1D) & long format identifier (9E manchester encoded)
+ data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
+ // load raw id from hi2, hi, lo to data blocks (manchester encoded)
+ data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
+ data[3] = manchesterEncode2Bytes(hi >> 16);
+ data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
+ data[5] = manchesterEncode2Bytes(lo >> 16);
+ data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
+ } else {
+ // Ensure no more than 44 bits supplied
+ if (hi > 0xFFF) {
+ DbpString("Tags can only have 44 bits.");
+ return;
+ }
+ // Build the 3 data blocks for supplied 44bit ID
+ last_block = 3;
+ // load preamble
+ data[1] = 0x1D000000 | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
+ data[2] = manchesterEncode2Bytes(lo >> 16);
+ data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
+ }
+ // load chip config block
+ data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
+
+ //TODO add selection of chip for Q5 or T55x7
+ // data[0] = (((50-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
+
+ LED_D_ON();
+ WriteT55xx(data, 0, last_block+1);
+ LED_D_OFF();
+}
+
+void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
+ uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
+ //TODO add selection of chip for Q5 or T55x7
+ //t5555 (Q5) BITRATE = (RF-2)/2 (iceman)
+ // data[0] = (64 << T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 2 << T5555_MAXBLOCK_SHIFT;
+
+ LED_D_ON();
+ // Program the data blocks for supplied ID
+ // and the block 0 config
+ WriteT55xx(data, 0, 3);
+ LED_D_OFF();
+}
+
+// Clone Indala 64-bit tag by UID to T55x7
+void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
+ //Program the 2 data blocks for supplied 64bit UID
+ // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
+ uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
+ //TODO add selection of chip for Q5 or T55x7
+ // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
+
+ WriteT55xx(data, 0, 3);
+ //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
+ // T5567WriteBlock(0x603E1042,0);
+}
+// Clone Indala 224-bit tag by UID to T55x7
+void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
+ //Program the 7 data blocks for supplied 224bit UID
+ uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
+ // and the block 0 for Indala224 format
+ //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
+ data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT);
+ //TODO add selection of chip for Q5 or T55x7
+ // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 7 << T5555_MAXBLOCK_SHIFT;
+ WriteT55xx(data, 0, 8);
+ //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
+ // T5567WriteBlock(0x603E10E2,0);
+}
+// clone viking tag to T55xx
+void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
+ uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
+ //t5555 (Q5) BITRATE = (RF-2)/2 (iceman)
+ if (Q5) data[0] = (32 << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
+ // Program the data blocks for supplied ID and the block 0 config
+ WriteT55xx(data, 0, 3);
+ LED_D_OFF();
+ cmd_send(CMD_ACK,0,0,0,0,0);
+}
+
+// Define 9bit header for EM410x tags
+#define EM410X_HEADER 0x1FF
+#define EM410X_ID_LENGTH 40
+
+void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
+ int i, id_bit;
+ uint64_t id = EM410X_HEADER;
+ uint64_t rev_id = 0; // reversed ID
+ int c_parity[4]; // column parity
+ int r_parity = 0; // row parity
+ uint32_t clock = 0;
+
+ // Reverse ID bits given as parameter (for simpler operations)
+ for (i = 0; i < EM410X_ID_LENGTH; ++i) {
+ if (i < 32) {
+ rev_id = (rev_id << 1) | (id_lo & 1);
+ id_lo >>= 1;
+ } else {
+ rev_id = (rev_id << 1) | (id_hi & 1);
+ id_hi >>= 1;
+ }
+ }
+
+ for (i = 0; i < EM410X_ID_LENGTH; ++i) {
+ id_bit = rev_id & 1;
+
+ if (i % 4 == 0) {
+ // Don't write row parity bit at start of parsing
+ if (i)
+ id = (id << 1) | r_parity;
+ // Start counting parity for new row
+ r_parity = id_bit;
+ } else {
+ // Count row parity
+ r_parity ^= id_bit;
+ }
+
+ // First elements in column?
+ if (i < 4)
+ // Fill out first elements
+ c_parity[i] = id_bit;
+ else
+ // Count column parity
+ c_parity[i % 4] ^= id_bit;
+
+ // Insert ID bit
+ id = (id << 1) | id_bit;
+ rev_id >>= 1;
+ }
+
+ // Insert parity bit of last row
+ id = (id << 1) | r_parity;
+
+ // Fill out column parity at the end of tag
+ for (i = 0; i < 4; ++i)
+ id = (id << 1) | c_parity[i];
+
+ // Add stop bit
+ id <<= 1;
+
+ Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
+ LED_D_ON();
+
+ // Write EM410x ID
+ uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)};
+
+ clock = (card & 0xFF00) >> 8;
+ clock = (clock == 0) ? 64 : clock;
+ Dbprintf("Clock rate: %d", clock);
+ if (card & 0xFF) { //t55x7
+ clock = GetT55xxClockBit(clock);
+ if (clock == 0) {
+ Dbprintf("Invalid clock rate: %d", clock);
+ return;
+ }
+ data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
+ } else { //t5555 (Q5)
+ clock = (clock-2)>>1; //n = (RF-2)/2
+ data[0] = (clock << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
+ }
+
+ WriteT55xx(data, 0, 3);
+
+ LED_D_OFF();
+ Dbprintf("Tag %s written with 0x%08x%08x\n",
+ card ? "T55x7":"T5555",
+ (uint32_t)(id >> 32),
+ (uint32_t)id);
+}
+
+//-----------------------------------
+// EM4469 / EM4305 routines
+//-----------------------------------
+// Below given command set.
+// Commands are including the even parity, binary mirrored
+#define FWD_CMD_LOGIN 0xC
+#define FWD_CMD_WRITE 0xA
+#define FWD_CMD_READ 0x9
+#define FWD_CMD_DISABLE 0x5
+
+uint8_t forwardLink_data[64]; //array of forwarded bits
+uint8_t * forward_ptr; //ptr for forward message preparation
+uint8_t fwd_bit_sz; //forwardlink bit counter
+uint8_t * fwd_write_ptr; //forwardlink bit pointer
+
+//====================================================================
+// prepares command bits
+// see EM4469 spec
+//====================================================================
+//--------------------------------------------------------------------
+// VALUES TAKEN FROM EM4x function: SendForward
+// START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
+// WRITE_GAP = 128; (16*8)
+// WRITE_1 = 256 32*8; (32*8)
+
+// These timings work for 4469/4269/4305 (with the 55*8 above)
+// WRITE_0 = 23*8 , 9*8
+
+uint8_t Prepare_Cmd( uint8_t cmd ) {
+
+ *forward_ptr++ = 0; //start bit
+ *forward_ptr++ = 0; //second pause for 4050 code
+
+ *forward_ptr++ = cmd;
+ cmd >>= 1;
+ *forward_ptr++ = cmd;
+ cmd >>= 1;
+ *forward_ptr++ = cmd;
+ cmd >>= 1;
+ *forward_ptr++ = cmd;
+
+ return 6; //return number of emited bits
+}
+
+//====================================================================
+// prepares address bits
+// see EM4469 spec
+//====================================================================
+uint8_t Prepare_Addr( uint8_t addr ) {
+
+ register uint8_t line_parity;
+
+ uint8_t i;
+ line_parity = 0;
+ for( i=0; i<6; i++ ) {
+ *forward_ptr++ = addr;
+ line_parity ^= addr;
+ addr >>= 1;
+ }
+
+ *forward_ptr++ = (line_parity & 1);
+
+ return 7; //return number of emited bits
+}
+
+//====================================================================
+// prepares data bits intreleaved with parity bits
+// see EM4469 spec
+//====================================================================
+uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
+
+ register uint8_t line_parity;
+ register uint8_t column_parity;
+ register uint8_t i, j;
+ register uint16_t data;
+
+ data = data_low;
+ column_parity = 0;
+
+ for(i=0; i<4; i++) {
+ line_parity = 0;
+ for(j=0; j<8; j++) {
+ line_parity ^= data;
+ column_parity ^= (data & 1) << j;
+ *forward_ptr++ = data;
+ data >>= 1;
+ }
+ *forward_ptr++ = line_parity;
+ if(i == 1)
+ data = data_hi;
+ }
+
+ for(j=0; j<8; j++) {
+ *forward_ptr++ = column_parity;
+ column_parity >>= 1;
+ }
+ *forward_ptr = 0;
+
+ return 45; //return number of emited bits
+}
+
+//====================================================================
+// Forward Link send function
+// Requires: forwarLink_data filled with valid bits (1 bit per byte)
+// fwd_bit_count set with number of bits to be sent
+//====================================================================
+void SendForward(uint8_t fwd_bit_count) {
+
+// iceman, 21.3us increments for the USclock verification.
+// 55FC * 8us == 440us / 21.3 === 20.65 steps. could be too short. Go for 56FC instead
+// 32FC * 8us == 256us / 21.3 == 12.018 steps. ok
+// 16FC * 8us == 128us / 21.3 == 6.009 steps. ok
+
+#ifndef EM_START_GAP
+#define EM_START_GAP 56*8
+#endif
+#ifndef EM_ONE_GAP
+#define EM_ONE_GAP 32*8
+#endif
+#ifndef EM_ZERO_GAP
+# define EM_ZERO_GAP 16*8
+#endif
+
+ fwd_write_ptr = forwardLink_data;
+ fwd_bit_sz = fwd_bit_count;
+
+ // Set up FPGA, 125kHz
+ LFSetupFPGAForADC(95, true);
+
+ // force 1st mod pulse (start gap must be longer for 4305)
+ fwd_bit_sz--; //prepare next bit modulation
+ fwd_write_ptr++;
+
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ WaitUS(EM_START_GAP);
+
+ TurnReadLFOn(EM_ZERO_GAP);
+
+ // now start writting with bitbanging the antenna.
+ while(fwd_bit_sz-- > 0) { //prepare next bit modulation
+ if(((*fwd_write_ptr++) & 1) == 1)
+ WaitUS(EM_ONE_GAP);
+ else {
+ //These timings work for 4469/4269/4305
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ WaitUS(EM_ZERO_GAP);
+ TurnReadLFOn(EM_ZERO_GAP);
+ }
+ }
+}
+
+void EM4xLogin(uint32_t pwd) {
+ uint8_t len;
+ forward_ptr = forwardLink_data;
+ len = Prepare_Cmd( FWD_CMD_LOGIN );
+ len += Prepare_Data( pwd & 0xFFFF, pwd >> 16 );
+ SendForward(len);
+ WaitMS(20);
+}
+
+void EM4xReadWord(uint8_t addr, uint32_t pwd, uint8_t usepwd) {
+
+ LED_A_ON();
+
+ uint8_t len;
+
+ //clear buffer now so it does not interfere with timing later
+ BigBuf_Clear_ext(false);
+
+ if (usepwd) EM4xLogin(pwd);
+
+ forward_ptr = forwardLink_data;
+ len = Prepare_Cmd( FWD_CMD_READ );
+ len += Prepare_Addr( addr );
+
+ SendForward(len);
+
+ DoAcquisition_config(TRUE);
+
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ cmd_send(CMD_ACK,0,0,0,0,0);
+ LED_A_OFF();
+}
+
+void EM4xWriteWord(uint32_t flag, uint32_t data, uint32_t pwd) {
+
+ LED_A_ON();
+
+ bool usePwd = (flag & 0xF);
+ uint8_t addr = (flag >> 8) & 0xFF;
+ uint8_t len;
+
+ //clear buffer now so it does not interfere with timing later
+ BigBuf_Clear_ext(false);
+
+ if (usePwd) EM4xLogin(pwd);
+
+ forward_ptr = forwardLink_data;
+ len = Prepare_Cmd( FWD_CMD_WRITE );
+ len += Prepare_Addr( addr );
+ len += Prepare_Data( data & 0xFFFF, data >> 16 );
+
+ SendForward(len);
+
+ //Wait 20ms for write to complete
+ WaitMS(20);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ cmd_send(CMD_ACK,0,0,0,0,0);
+ LED_A_OFF();
+}
+
+/*
+Reading a COTAG.
+
+COTAG needs the reader to send a startsequence and the card has an extreme slow datarate.
+because of this, we can "sample" the data signal but we interpreate it to Manchester direct.
+
+READER START SEQUENCE:
+burst 800 us, gap 2.2 msecs
+burst 3.6 msecs gap 2.2 msecs
+burst 800 us gap 2.2 msecs
+pulse 3.6 msecs
+
+This triggers a COTAG tag to response
+*/
+void Cotag(uint32_t arg0) {
+#ifndef OFF
+# define OFF { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2035); }
+#endif
+#ifndef ON
+# define ON(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
+#endif
+ uint8_t rawsignal = arg0 & 0xF;
+
+ LED_A_ON();
+
+ // Switching to LF image on FPGA. This might empty BigBuff
+ FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+
+ //clear buffer now so it does not interfere with timing later
+ BigBuf_Clear_ext(false);
+
+ // Set up FPGA, 132kHz to power up the tag
+ FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
+
+ // Connect the A/D to the peak-detected low-frequency path.
+ SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
+
+ // Now set up the SSC to get the ADC samples that are now streaming at us.
+ FpgaSetupSsc();
+
+ // start clock - 1.5ticks is 1us
+ StartTicks();
+
+ //send COTAG start pulse
+ ON(740) OFF
+ ON(3330) OFF
+ ON(740) OFF
+ ON(1000)
+
+ switch(rawsignal) {
+ case 0: doCotagAcquisition(50000); break;
+ case 1: doCotagAcquisitionManchester(); break;
+ case 2: DoAcquisition_config(TRUE); break;
+ }
+
+ // Turn the field off
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
+ cmd_send(CMD_ACK,0,0,0,0,0);
+ LED_A_OFF();
+}
+
+/*
+* EM4305 support
+*/
projects / proxmark3-svn / blobdiff