* Relevant times in microsecond
* To compensate antenna falling times shorten the write times
* and enlarge the gap ones.
+ * Q5 tags seems to have issues when these values changes.
*/
#define START_GAP 50*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
// Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
// T0 = TIMER_CLOCK1 / 125000 = 192
-// 1 Cycle = 8 microseconds(us)
-
+// 1 Cycle = 8 microseconds(us) == 1 field clock
// Write one bit to card
-void T55xxWriteBit(int bit)
-{
- //FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
- FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
+void T55xxWriteBit(int bit) {
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
if (!bit)
SpinDelayUs(WRITE_0);
}
// Write one card block in page 0, no lock
-void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode)
-{
+void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode) {
+ LED_A_ON();
+
uint32_t i = 0;
// Set up FPGA, 125kHz
- // Wait for config.. (192+8190xPOW)x8 == 67ms
LFSetupFPGAForADC(95, true);
- // Now start writting
+ // Trigger T55x7 in mode.
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelayUs(START_GAP);
- // Opcode
+ // Opcode 10
T55xxWriteBit(1);
T55xxWriteBit(0); //Page 0
+
if (PwdMode == 1){
- // Pwd
+ // Send pwd
for (i = 0x80000000; i != 0; i >>= 1)
T55xxWriteBit(Pwd & i);
}
- // Lock bit
+ // Send lock bit
T55xxWriteBit(0);
- // Data
+ // Send data
for (i = 0x80000000; i != 0; i >>= 1)
T55xxWriteBit(Data & i);
- // Block
+ // Send block number
for (i = 0x04; i != 0; i >>= 1)
T55xxWriteBit(Block & i);
- // Now perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
+ // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
// so wait a little more)
- FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
- FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
- SpinDelay(20);
+ TurnReadLFOn(20 * 1000);
+
+ // field off
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ cmd_send(CMD_ACK,0,0,0,0,0);
+ LED_A_OFF();
}
-void TurnReadLFOn(int delay){
+void TurnReadLFOn(int delay) {
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
// Give it a bit of time for the resonant antenna to settle.
SpinDelayUs(delay);
}
// Read one card block in page 0
-void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode)
-{
+void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode) {
+ LED_A_ON();
+
uint32_t i = 0;
//make sure block is at max 7
T55xxWriteBit(0); //Page 0
if (PwdMode == 1){
- // Pwd
+ // Send pwd
for (i = 0x80000000; i != 0; i >>= 1)
T55xxWriteBit(Pwd & i);
}
- // zero bit to seperate
+ // Send a zero bit seperation
T55xxWriteBit(0);
- // Block
- for (i = 0x04; i != 0; i >>= 1) {
+ // Send block number
+ for (i = 0x04; i != 0; i >>= 1)
T55xxWriteBit(Block & i);
- Dbprintf("ice %d",i);
- }
// Turn field on to read the response
TurnReadLFOn(START_GAP);
// field off
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
cmd_send(CMD_ACK,0,0,0,0,0);
- LED_D_OFF();
+ LED_A_OFF();
}
-
// Read card traceability data (page 1)
void T55xxReadTrace(void){
+ LED_A_ON();
+
+ // Set up FPGA, 125kHz
+ LFSetupFPGAForADC(95, true);
- LFSetupFPGAForADC(0, true);
+ // Trigger T55x7 in mode.
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelayUs(START_GAP);
// field off
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
cmd_send(CMD_ACK,0,0,0,0,0);
- LED_D_OFF();
+ LED_A_OFF();
}
-
/*-------------- Cloning routines -----------*/
// Copy HID id to card and setup block 0 config
void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT)
// Clone Indala 64-bit tag by UID to T55x7
void CopyIndala64toT55x7(int hi, int lo)
{
-
//Program the 2 data blocks for supplied 64bit UID
// and the block 0 for Indala64 format
T55xxWriteBlock(hi,1,0,0);
// T5567WriteBlock(0x603E1042,0);
DbpString("DONE!");
-
}
void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7)
{
-
//Program the 7 data blocks for supplied 224bit UID
// and the block 0 for Indala224 format
T55xxWriteBlock(uid1,1,0,0);
// T5567WriteBlock(0x603E10E2,0);
DbpString("DONE!");
-
}
//-----------------------------------
#define FWD_CMD_READ 0x9
#define FWD_CMD_DISABLE 0x5
-
uint8_t forwardLink_data[64]; //array of forwarded bits
uint8_t * forward_ptr; //ptr for forward message preparation
uint8_t fwd_bit_sz; //forwardlink bit counter
// prepares command bits
// see EM4469 spec
//====================================================================
-//--------------------------------------------------------------------
uint8_t Prepare_Cmd( uint8_t cmd ) {
- //--------------------------------------------------------------------
*forward_ptr++ = 0; //start bit
*forward_ptr++ = 0; //second pause for 4050 code
// prepares address bits
// see EM4469 spec
//====================================================================
-
-//--------------------------------------------------------------------
uint8_t Prepare_Addr( uint8_t addr ) {
- //--------------------------------------------------------------------
register uint8_t line_parity;
// prepares data bits intreleaved with parity bits
// see EM4469 spec
//====================================================================
-
-//--------------------------------------------------------------------
uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
- //--------------------------------------------------------------------
register uint8_t line_parity;
register uint8_t column_parity;
LED_D_ON();
- //Field on
- FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
- FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
- FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
-
- // Give it a bit of time for the resonant antenna to settle.
- // And for the tag to fully power up
- SpinDelay(150);
-
+ // Set up FPGA, 125kHz
+ LFSetupFPGAForADC(95, true);
+
// force 1st mod pulse (start gap must be longer for 4305)
fwd_bit_sz--; //prepare next bit modulation
fwd_write_ptr++;
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
SpinDelayUs(55*8); //55 cycles off (8us each)for 4305
- FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
SpinDelayUs(16*8); //16 cycles on (8us each)
//These timings work for 4469/4269/4305 (with the 55*8 above)
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
SpinDelayUs(23*8); //16-4 cycles off (8us each)
- FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
SpinDelayUs(9*8); //16 cycles on (8us each)
}
//Wait for command to complete
SpinDelay(20);
-
}
void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
if (i >= bufferlength) break;
}
}
-
+
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
cmd_send(CMD_ACK,0,0,0,0,0);
- FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
LED_D_OFF();
}
LED_D_OFF();
}
-void CopyViKingtoT55x7(uint32_t block1,uint32_t block2) {
+void CopyViKingtoT55x7(uint32_t block1, uint32_t block2) {
LED_D_ON();
T55xxWriteBlock(block1,1,0,0);
T55xxWriteBlock(block2,2,0,0);
-
T55xxWriteBlock(T55x7_MODULATION_MANCHESTER | T55x7_BITRATE_RF_32 | 2 << T5555_MAXBLOCK_SHIFT,0,0,1);
+ // ICEMAN NOTES:
+ // Shouldn't this one be: T55x7_MAXBLOCK_SHIFT and 0 in password mode
+ // like this:
+ // T55xxWriteBlock(T55x7_MODULATION_MANCHESTER | T55x7_BITRATE_RF_32 | 2 << T55x7_MAXBLOCK_SHIFT,0,0,0);
LED_D_OFF();
- DbpString("DONE!");
}
projects / proxmark3-svn / blobdiff