search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #1331 from Guilhem7/master
[RRG-proxmark3.git] / armsrc / lfops.c
blob12ef076b2cb4032effc95606dc1f2b399d1b6993
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Miscellaneous routines for low frequency tag operations.
7 // Tags supported here so far are Texas Instruments (TI), HID, EM4x05, EM410x
8 // Also routines for raw mode reading/simulating of LF waveform
9 //-----------------------------------------------------------------------------
10
11 #include "lfops.h"
12
13 #include "proxmark3_arm.h"
14 #include "cmd.h"
15 #include "BigBuf.h"
16 #include "fpgaloader.h"
17 #include "ticks.h"
18 #include "dbprint.h"
19 #include "util.h"
20 #include "commonutil.h"
21
22 #include "crc16.h"
23 #include "string.h"
24 #include "printf.h"
25 #include "lfdemod.h"
26 #include "lfsampling.h"
27 #include "protocols.h"
28 #include "pmflash.h"
29 #include "flashmem.h" // persistence on flash
30 #include "appmain.h" // print stack
31
32 /*
33 Notes about EM4xxx timings.
34
35 The timing values differs between cards, we got EM410x, EM43x5, EM445x etc.
36 We are trying to unify and enable the Proxmark to easily detect and select correct timings automatic.
37 The measures from datasheets doesn't always match correct the hardware features of RDV4 antenans and we still wanted to let other devices with other custom antennas
38 still benefit from this repo. This is why its configurable and we use to set these dynamic settings in device external flash memory.
39
40
41 // VALUES TAKEN FROM EM4x function: SendForward
42 // START_GAP = 440; (55*8) cycles at 125kHz (8us = 1cycle)
43 // WRITE_GAP = 128; (16*8)
44 // WRITE_1 = 256 32*8; (32*8)
45
46 // These timings work for 4469/4269/4305 (with the 55*8 above)
47 // WRITE_0 = 23*8 , 9*8
48
49 Not about ARM TIMERS
50 Short note about timers on Proxmark device ARM. They are a bit differently implemented and gives decent correctness.
51
52 SAM7S has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
53 TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
54
55 New timer implemenation in ticks.c, which is used in LFOPS.c
56 1 μs = 1.5 ticks
57 1 fc = 8 μs = 12 ticks
58
59 Terms you find in different datasheets and how they match.
60 1 Cycle = 8 microseconds (μs) == 1 field clock (fc)
61
62 Note about HITAG timing
63 Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
64 T0 = TIMER_CLOCK1 / 125000 = 192
65
66
67 ==========================================================================================================
68 T55x7 Timing
69 ==========================================================================================================
70
71 ATA5577 Downlink Protocol Timings.
72 Note: All absolute times assume TC = 1 / fC = 8 μs (fC = 125 kHz)
73
74 Note: These timings are from the datasheet and doesn't map the best to the features of the RVD4 LF antenna.
75 RDV4 LF antenna has high voltage and the drop of power when turning off the rf field takes about 1-2 TC longer.
76
77 -----------------------------------------------------------------------
78 Fixed-bit-length Protocol | Normal Downlink | Fast Downlink |
79 ------------------------------+-----------------------------------+-----------------------------------+------
80 | Parameter | Remark | Symbol | Min. | Typ. | Max. | Min. | Typ. | Max. | Unit |
81 |------------+--------+--------+-----------+-----------+-----------+-----------+-----------+-----------+------|
82 | Start gap | | Sgap | 8 | 15 | 50 | 8 | 15 | 50 | Tc |
83 | Write gap | | Wgap | 8 | 10 | 20 | 8 | 10 | 20 | Tc |
84 |------------+--------+--------+-----------+-----------+-----------+-----------+-----------+-----------+------|
85 | coding | 0 data | d0 | 16 | 24 | 32 | 8 | 12 | 16 | Tc |
86 | | 1 data | d1 | 48 | 56 | 64 | 24 | 28 | 32 | Tc |
87 -------------------------------------------------------------------------------------------------------------
88
89 -----------------------------------------------------------------------
90 Long Leading Reference | Normal Downlink | Fast Downlink |
91 ------------------------------+-----------------------------------+-----------------------------------+------
92 | Parameter | Remark | Symbol | Min. | Typ. | Max. | Min. | Typ. | Max. | Unit |
93 |-----------+--------+---------+-----------+-----------+-----------+-----------+-----------+-----------+------|
94 | Start gap | | Sgap | 8 | 10 | 50 | 8 | 10 | 50 | Tc |
95 | Write gap | | Wgap | 8 | 10 | 20 | 8 | 10 | 20 | Tc |
96 |-----------+--------+---------+-----------+-----------+-----------+-----------+-----------+-----------+------|
97 | Write | Ref | | 152 | 160 | 168 | 140 | 144 | 148 | Tc |
98 | data | Pulse | dref | 136 clocks + 0 data bit | 132 clocks + 0 data bit | Tc |
99 | coding |--------+---------+-----------------------------------+-----------------------------------+------|
100 | | 0 data | d0 |dref – 143 |dref – 136 |dref – 128 |dref – 135 |dref – 132 |dref – 124 | Tc |
101 | | 1 data | d1 |dref – 111 |dref – 104 |dref – 96 |dref – 119 |dref – 116 |dref – 112 | Tc |
102 -------------------------------------------------------------------------------------------------------------
103
104 -----------------------------------------------------------------------
105 Leading-zero Reference | Normal Downlink | Fast Downlink |
106 ------------------------------+-----------------------------------+-----------------------------------+------
107 | Parameter | Remark | Symbol | Min. | Typ. | Max. | Min. | Typ. | Max. | Unit |
108 |-----------+--------+---------+-----------+-----------+-----------+-----------+-----------+-----------+------|
109 | Start gap | | Sgap | 8 | 10 | 50 | 8 | 10 | 50 | Tc |
110 | Write gap | | Wgap | 8 | 10 | 20 | 8 | 10 | 20 | Tc |
111 |-----------+--------+---------+-----------+-----------+-----------+-----------+-----------+-----------+------|
112 | Write | Ref | dref | 12 | – | 72 | 8 | – | 68 | Tc |
113 | data | 0 data | d0 | dref – 7 | dref | dref + 8 | dref – 3 | dref | dref + 4 | Tc |
114 | coding | 1 data | d1 | dref + 9 | dref + 16 | dref + 24 | dref + 5 | dref + 8 | dref + 12 | Tc |
115 -------------------------------------------------------------------------------------------------------------
116
117 -----------------------------------------------------------------------
118 1-of-4 Coding | Normal Downlink | Fast Downlink |
119 ------------------------------+-----------------------------------+-----------------------------------+------
120 | Parameter | Remark | Symbol | Min. | Typ. | Max. | Min. | Typ. | Max. | Unit |
121 |-----------+--------+---------+-----------+-----------+-----------+-----------+-----------+-----------+------|
122 | Start gap | | Sgap | 8 | 10 | 50 | 8 | 10 | 50 | Tc |
123 | Write gap | | Wgap | 8 | 10 | 20 | 8 | 10 | 20 | Tc |
124 |-----------+--------+---------+-----------+-----------+-----------+-----------+-----------+-----------+------|
125 | Write | Ref 00 | dref | 8 | – | 68 | 12 | – | 72 | Tc |
126 | data |00 data | d00 | dref – 7 | dref | dref + 8 | dref – 3 | dref | dref+ 4 | Tc |
127 | coding |01 data | d01 | dref + 9 | dref + 16 | dref + 24 | dref + 5 | dref + 8 | dref + 12 | Tc |
128 | |10 data | d10 | dref + 25 | dref + 32 | dref + 40 | dref + 13 | dref + 16 | dref + 20 | Tc |
129 | |11 data | d11 | dref + 41 | dref + 48 | dref + 56 | dref + 21 | dref + 24 | dref + 28 | Tc |
130 -------------------------------------------------------------------------------------------------------------
131
132 Initial values if not in flash
133
134 SG = Start gap
135 WG = Write gap
136 RG = Read gap
137
138 Explainations for array T55xx_Timing below
139
140 0 1 2 3
141 SG WG Bit 00 Bit 01 Bit 10 Bit 11 RG
142 --------------------------------------------------------------------
143 { 29 , 17 , 15 , 47 , 0 , 0 , 15 }, // Default Fixed
144 { 29 , 17 , 15 , 50 , 0 , 0 , 15 }, // Long Leading Ref.
145 { 29 , 17 , 15 , 40 , 0 , 0 , 15 }, // Leading 0
146 { 29 , 17 , 15 , 31 , 47 , 63 , 15 } // 1 of 4
147 */
148 t55xx_configurations_t T55xx_Timing = {
149 {
150 #ifdef WITH_FLASH
151 // PM3RDV4
152 { 29 * 8, 17 * 8, 15 * 8, 47 * 8, 15 * 8, 0, 0 }, // Default Fixed
153 { 29 * 8, 17 * 8, 15 * 8, 47 * 8, 15 * 8, 0, 0 }, // Long Leading Ref.
154 { 29 * 8, 17 * 8, 15 * 8, 40 * 8, 15 * 8, 0, 0 }, // Leading 0
155 { 29 * 8, 17 * 8, 15 * 8, 31 * 8, 15 * 8, 47 * 8, 63 * 8 } // 1 of 4
156 #else
157 // PM3GENERIC or like official repo
158 { 31 * 8, 20 * 8, 18 * 8, 50 * 8, 15 * 8, 0, 0 }, // Default Fixed
159 { 31 * 8, 20 * 8, 18 * 8, 50 * 8, 15 * 8, 0, 0 }, // Long Leading Ref.
160 { 31 * 8, 20 * 8, 18 * 8, 40 * 8, 15 * 8, 0, 0 }, // Leading 0
161 { 31 * 8, 20 * 8, 18 * 8, 34 * 8, 15 * 8, 50 * 8, 66 * 8 } // 1 of 4
162 #endif
163 }
164 };
165
166
167 // Some defines for readability
168 #define T55XX_DLMODE_FIXED 0 // Default Mode
169 #define T55XX_DLMODE_LLR 1 // Long Leading Reference
170 #define T55XX_DLMODE_LEADING_ZERO 2 // Leading Zero
171 #define T55XX_DLMODE_1OF4 3 // 1 of 4
172 #define T55XX_LONGLEADINGREFERENCE 4 // Value to tell Write Bit to send long reference
173
174 // ATA55xx shared presets & routines
175 static uint32_t GetT55xxClockBit(uint8_t clock) {
176 switch (clock) {
177 case 128:
178 return T55x7_BITRATE_RF_128;
179 case 100:
180 return T55x7_BITRATE_RF_100;
181 case 64:
182 return T55x7_BITRATE_RF_64;
183 case 50:
184 return T55x7_BITRATE_RF_50;
185 case 40:
186 return T55x7_BITRATE_RF_40;
187 case 32:
188 return T55x7_BITRATE_RF_32;
189 case 16:
190 return T55x7_BITRATE_RF_16;
191 case 8:
192 return T55x7_BITRATE_RF_8;
193 default :
194 return 0;
195 }
196 }
197
198 void printT55xxConfig(void) {
199
200 #define PRN_NA sprintf(s + strlen(s), _RED_("N/A") " | ");
201
202 DbpString(_CYAN_("LF T55XX config"));
203 Dbprintf(" [r] [a] [b] [c] [d] [e] [f] [g]");
204 Dbprintf(" mode |start|write|write|write| read|write|write");
205 Dbprintf(" | gap | gap | 0 | 1 | gap | 2 | 3");
206 Dbprintf("---------------------------+-----+-----+-----+-----+-----+-----+------");
207
208 for (uint8_t i = 0; i < 4; i++) {
209
210 char s[160];
211 memset(s, 0, sizeof(s));
212
213 switch (i) {
214 case T55XX_DLMODE_FIXED :
215 sprintf(s, _YELLOW_("fixed bit length") _GREEN_(" (default)") " |");
216 break;
217 case T55XX_DLMODE_LLR :
218 sprintf(s, _YELLOW_(" long leading reference") " |");
219 break;
220 case T55XX_DLMODE_LEADING_ZERO :
221 sprintf(s, _YELLOW_(" leading zero") " |");
222 break;
223 case T55XX_DLMODE_1OF4 :
224 sprintf(s, _YELLOW_(" 1 of 4 coding reference") " |");
225 break;
226 default:
227 break;
228 }
229
230 if (T55xx_Timing.m[i].start_gap != 0xFFFF) {
231 sprintf(s + strlen(s), " %3d | ", T55xx_Timing.m[i].start_gap / 8);
232 } else {
233 PRN_NA;
234 }
235
236 if (T55xx_Timing.m[i].write_gap != 0xFFFF) {
237 sprintf(s + strlen(s), "%3d | ", T55xx_Timing.m[i].write_gap / 8);
238 } else {
239 PRN_NA;
240 }
241
242 if (T55xx_Timing.m[i].write_0 != 0xFFFF) {
243 sprintf(s + strlen(s), "%3d | ", T55xx_Timing.m[i].write_0 / 8);
244 } else {
245 PRN_NA;
246 }
247
248 if (T55xx_Timing.m[i].write_1 != 0xFFFF) {
249 sprintf(s + strlen(s), "%3d | ", T55xx_Timing.m[i].write_1 / 8);
250 } else {
251 PRN_NA;
252 }
253
254 if (T55xx_Timing.m[i].read_gap != 0xFFFF) {
255 sprintf(s + strlen(s), "%3d | ", T55xx_Timing.m[i].read_gap / 8);
256 } else {
257 PRN_NA;
258 }
259
260 if (T55xx_Timing.m[i].write_2 != 0xFFFF && i == T55XX_DLMODE_1OF4) {
261 sprintf(s + strlen(s), "%3d | ", T55xx_Timing.m[i].write_2 / 8);
262 } else {
263 PRN_NA
264 }
265
266 if (T55xx_Timing.m[i].write_3 != 0xFFFF && i == T55XX_DLMODE_1OF4) {
267 sprintf(s + strlen(s), "%3d | ", T55xx_Timing.m[i].write_3 / 8);
268 } else {
269 PRN_NA;
270 }
271
272 // remove last space
273 s[strlen(s)] = 0;
274 DbpStringEx(FLAG_LOG, s, sizeof(s));
275 }
276 DbpString("");
277 }
278
279 void setT55xxConfig(uint8_t arg0, t55xx_configurations_t *c) {
280 for (uint8_t i = 0; i < 4; i++) {
281 if (c->m[i].start_gap != 0)
282 T55xx_Timing.m[i].start_gap = c->m[i].start_gap;
283
284 if (c->m[i].write_gap != 0)
285 T55xx_Timing.m[i].write_gap = c->m[i].write_gap;
286
287 if (c->m[i].write_0 != 0)
288 T55xx_Timing.m[i].write_0 = c->m[i].write_0;
289
290 if (c->m[i].write_1 != 0)
291 T55xx_Timing.m[i].write_1 = c->m[i].write_1;
292
293 if (i == T55XX_DLMODE_1OF4) {
294 if (c->m[i].write_2 != 0)
295 T55xx_Timing.m[i].write_2 = c->m[i].write_2;
296
297 if (c->m[i].write_3 != 0)
298 T55xx_Timing.m[i].write_3 = c->m[i].write_3;
299
300 } else {
301 T55xx_Timing.m[i].write_2 = 0x00;
302 T55xx_Timing.m[i].write_3 = 0x00;
303 }
304 if (c->m[i].read_gap != 0)
305 T55xx_Timing.m[i].read_gap = c->m[i].read_gap;
306 }
307
308 printT55xxConfig();
309
310 #ifdef WITH_FLASH
311 // shall persist to flashmem
312 if (arg0 == 0) {
313 BigBuf_free();
314 return;
315 }
316
317 if (!FlashInit()) {
318 BigBuf_free();
319 return;
320 }
321
322 uint8_t *buf = BigBuf_malloc(T55XX_CONFIG_LEN);
323 Flash_CheckBusy(BUSY_TIMEOUT);
324 uint16_t res = Flash_ReadDataCont(T55XX_CONFIG_OFFSET, buf, T55XX_CONFIG_LEN);
325 if (res == 0) {
326 FlashStop();
327 BigBuf_free();
328 return;
329 }
330
331 memcpy(buf, &T55xx_Timing, T55XX_CONFIG_LEN);
332
333 // delete old configuration
334 Flash_CheckBusy(BUSY_TIMEOUT);
335 Flash_WriteEnable();
336 Flash_Erase4k(3, 0xD);
337
338 // write new
339 res = Flash_Write(T55XX_CONFIG_OFFSET, buf, T55XX_CONFIG_LEN);
340
341 if (res == T55XX_CONFIG_LEN && DBGLEVEL > 1) {
342 DbpString("T55XX Config save " _GREEN_("success"));
343 }
344
345 BigBuf_free();
346 #endif
347 }
348
349 t55xx_configurations_t *getT55xxConfig(void) {
350 return &T55xx_Timing;//_FixedBit;
351 }
352
353 void loadT55xxConfig(void) {
354 #ifdef WITH_FLASH
355
356 if (!FlashInit()) {
357 return;
358 }
359
360 uint8_t *buf = BigBuf_malloc(T55XX_CONFIG_LEN);
361
362 Flash_CheckBusy(BUSY_TIMEOUT);
363 uint16_t isok = Flash_ReadDataCont(T55XX_CONFIG_OFFSET, buf, T55XX_CONFIG_LEN);
364 FlashStop();
365
366 // verify read mem is actual data.
367 uint8_t cntA = T55XX_CONFIG_LEN, cntB = T55XX_CONFIG_LEN;
368 for (int i = 0; i < T55XX_CONFIG_LEN; i++) {
369 if (buf[i] == 0xFF) cntA--;
370 if (buf[i] == 0x00) cntB--;
371 }
372 if (!cntA || !cntB) {
373 BigBuf_free();
374 return;
375 }
376
377 if (buf[0] != 0xFF) // if not set for clear
378 memcpy((uint8_t *)&T55xx_Timing, buf, T55XX_CONFIG_LEN);
379
380 if (isok == T55XX_CONFIG_LEN) {
381 if (DBGLEVEL > 1) DbpString("T55XX Config load success");
382 }
383 #endif
384 }
385
386 /**
387 * Function to do a modulation and then get samples.
388 * @param delay_off
389 * @param period_0
390 * @param period_1
391 * @param command (in binary char array)
392 */
393 void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint16_t period_0, uint16_t period_1, uint8_t *symbol_extra, uint16_t *period_extra, uint8_t *command, bool verbose, uint32_t samples) {
394
395 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
396
397 // use lf config settings
398 sample_config *sc = getSamplingConfig();
399
400 LFSetupFPGAForADC(sc->divisor, true);
401 // this causes the field to turn on for uncontrolled amount of time, so we'll turn it off
402
403 // Make sure the tag is reset
404 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
405
406 // start timer
407 StartTicks();
408
409 WaitMS(100);
410
411 // clear read buffer
412 BigBuf_Clear_keep_EM();
413
414 // if delay_off = 0 then just bitbang 1 = antenna on 0 = off for respective periods.
415 bool bitbang = (delay_off == 0);
416 // now modulate the reader field
417
418 // Some tags need to be interrogated very soon after activation else they enter their emulation mode
419 // Therefore it's up to the caller to add an initial symbol of adequate duration, except for bitbang mode.
420 if (bitbang) {
421 TurnReadLFOn(20000);
422 // HACK it appears the loop and if statements take up about 7us so adjust waits accordingly...
423 uint8_t hack_cnt = 7;
424 if (period_0 < hack_cnt || period_1 < hack_cnt) {
425 DbpString("[!] Warning periods cannot be less than 7us in bit bang mode");
426 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
427 LED_D_OFF();
428 reply_ng(CMD_LF_MOD_THEN_ACQ_RAW_ADC, PM3_EINVARG, NULL, 0);
429 return;
430 }
431
432 // hack2 needed--- it appears to take about 8-16us to turn the antenna back on
433 // leading to ~ 1 to 2 125kHz samples extra in every off period
434 // so we should test for last 0 before next 1 and reduce period_0 by this extra amount...
435 // but is this time different for every antenna or other hw builds??? more testing needed
436
437 // prime cmd_len to save time comparing strings while modulating
438 int cmd_len = 0;
439 while (command[cmd_len] != '\0' && command[cmd_len] != ' ')
440 cmd_len++;
441
442 int counter = 0;
443 bool off = false;
444 for (counter = 0; counter < cmd_len; counter++) {
445 // if cmd = 0 then turn field off
446 if (command[counter] == '0') {
447 // if field already off leave alone (affects timing otherwise)
448 if (off == false) {
449 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
450 LED_D_OFF();
451 off = true;
452 }
453 // note we appear to take about 7us to switch over (or run the if statements/loop...)
454 WaitUS(period_0 - hack_cnt);
455 // else if cmd = 1 then turn field on
456 } else {
457 // if field already on leave alone (affects timing otherwise)
458 if (off) {
459 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER | FPGA_LF_ADC_READER_FIELD);
460 LED_D_ON();
461 off = false;
462 }
463 // note we appear to take about 7us to switch over (or run the if statements/loop...)
464 WaitUS(period_1 - hack_cnt);
465 }
466 }
467 } else { // old mode of cmd read using delay as off period
468 while (*command != '\0' && *command != ' ') {
469 LED_D_ON();
470 if (*command == '0') {
471 TurnReadLFOn(period_0);
472 } else if (*command == '1') {
473 TurnReadLFOn(period_1);
474 } else {
475 for (uint8_t i = 0; i < LF_CMDREAD_MAX_EXTRA_SYMBOLS; i++) {
476 if (*command == symbol_extra[i]) {
477 TurnReadLFOn(period_extra[i]);
478 break;
479 }
480 }
481 }
482 command++;
483 LED_D_OFF();
484 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
485 WaitUS(delay_off);
486 }
487
488 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
489 }
490
491 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER | FPGA_LF_ADC_READER_FIELD);
492
493 // now do the read
494 DoAcquisition_config(verbose, samples);
495
496 // Turn off antenna
497 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
498
499 // tell client we are done
500 reply_ng(CMD_LF_MOD_THEN_ACQ_RAW_ADC, PM3_SUCCESS, NULL, 0);
501 }
502
503 /* blank r/w tag data stream
504 ...0000000000000000 01111111
505 1010101010101010101010101010101010101010101010101010101010101010
506 0011010010100001
507 01111111
508 101010101010101[0]000...
509
510 [5555fe852c5555555555555555fe0000]
511 */
512 void ReadTItag(void) {
513 StartTicks();
514 // some hardcoded initial params
515 // when we read a TI tag we sample the zerocross line at 2MHz
516 // TI tags modulate a 1 as 16 cycles of 123.2kHz
517 // TI tags modulate a 0 as 16 cycles of 134.2kHz
518 #define FSAMPLE 2000000
519 #define FREQLO 123200
520 #define FREQHI 134200
521
522 signed char *dest = (signed char *)BigBuf_get_addr();
523 uint16_t n = BigBuf_max_traceLen();
524 // 128 bit shift register [shift3:shift2:shift1:shift0]
525 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
526
527 int i, cycles = 0, samples = 0;
528 // how many sample points fit in 16 cycles of each frequency
529 uint32_t sampleslo = (FSAMPLE << 4) / FREQLO, sampleshi = (FSAMPLE << 4) / FREQHI;
530 // when to tell if we're close enough to one freq or another
531 uint32_t threshold = (sampleslo - sampleshi + 1) >> 1;
532
533 // TI tags charge at 134.2kHz
534 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
535 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_134); //~134kHz
536
537 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
538 // connects to SSP_DIN and the SSP_DOUT logic level controls
539 // whether we're modulating the antenna (high)
540 // or listening to the antenna (low)
541 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
542
543 // get TI tag data into the buffer
544 AcquireTiType();
545
546 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
547
548 for (i = 0; i < n - 1; i++) {
549 // count cycles by looking for lo to hi zero crossings
550 if ((dest[i] < 0) && (dest[i + 1] > 0)) {
551 cycles++;
552 // after 16 cycles, measure the frequency
553 if (cycles > 15) {
554 cycles = 0;
555 samples = i - samples; // number of samples in these 16 cycles
556
557 // TI bits are coming to us lsb first so shift them
558 // right through our 128 bit right shift register
559 shift0 = (shift0 >> 1) | (shift1 << 31);
560 shift1 = (shift1 >> 1) | (shift2 << 31);
561 shift2 = (shift2 >> 1) | (shift3 << 31);
562 shift3 >>= 1;
563
564 // check if the cycles fall close to the number
565 // expected for either the low or high frequency
566 if ((samples > (sampleslo - threshold)) && (samples < (sampleslo + threshold))) {
567 // low frequency represents a 1
568 shift3 |= (1u << 31);
569 } else if ((samples > (sampleshi - threshold)) && (samples < (sampleshi + threshold))) {
570 // high frequency represents a 0
571 } else {
572 // probably detected a gay waveform or noise
573 // use this as gaydar or discard shift register and start again
574 shift3 = shift2 = shift1 = shift0 = 0;
575 }
576 samples = i;
577
578 // for each bit we receive, test if we've detected a valid tag
579
580 // if we see 17 zeroes followed by 6 ones, we might have a tag
581 // remember the bits are backwards
582 if (((shift0 & 0x7fffff) == 0x7e0000)) {
583 // if start and end bytes match, we have a tag so break out of the loop
584 if (((shift0 >> 16) & 0xff) == ((shift3 >> 8) & 0xff)) {
585 cycles = 0xF0B; //use this as a flag (ugly but whatever)
586 break;
587 }
588 }
589 }
590 }
591 }
592
593 // if flag is set we have a tag
594 if (cycles != 0xF0B) {
595 DbpString("Info: No valid tag detected.");
596 } else {
597 // put 64 bit data into shift1 and shift0
598 shift0 = (shift0 >> 24) | (shift1 << 8);
599 shift1 = (shift1 >> 24) | (shift2 << 8);
600
601 // align 16 bit crc into lower half of shift2
602 shift2 = ((shift2 >> 24) | (shift3 << 8)) & 0x0ffff;
603
604 // if r/w tag, check ident match
605 if (shift3 & (1 << 15)) {
606 DbpString("Info: TI tag is rewriteable");
607 // only 15 bits compare, last bit of ident is not valid
608 if (((shift3 >> 16) ^ shift0) & 0x7fff) {
609 DbpString("Error: Ident mismatch!");
610 } else {
611 DbpString("Info: TI tag ident is valid");
612 }
613 } else {
614 DbpString("Info: TI tag is readonly");
615 }
616
617 // WARNING the order of the bytes in which we calc crc below needs checking
618 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
619 // bytes in reverse or something
620 // calculate CRC
621 uint32_t crc = 0;
622
623 crc = update_crc16(crc, (shift0) & 0xff);
624 crc = update_crc16(crc, (shift0 >> 8) & 0xff);
625 crc = update_crc16(crc, (shift0 >> 16) & 0xff);
626 crc = update_crc16(crc, (shift0 >> 24) & 0xff);
627 crc = update_crc16(crc, (shift1) & 0xff);
628 crc = update_crc16(crc, (shift1 >> 8) & 0xff);
629 crc = update_crc16(crc, (shift1 >> 16) & 0xff);
630 crc = update_crc16(crc, (shift1 >> 24) & 0xff);
631
632 Dbprintf("Info: Tag data: %x%08x, crc=%x", (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
633 if (crc != (shift2 & 0xffff)) {
634 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
635 } else {
636 DbpString("Info: CRC is good");
637 }
638 }
639 StopTicks();
640 }
641
642 static void WriteTIbyte(uint8_t b) {
643 int i = 0;
644
645 // modulate 8 bits out to the antenna
646 for (i = 0; i < 8; i++) {
647 if (b & (1 << i)) {
648 // stop modulating antenna 1ms
649 LOW(GPIO_SSC_DOUT);
650 WaitUS(1000);
651 // modulate antenna 1ms
652 HIGH(GPIO_SSC_DOUT);
653 WaitUS(1000);
654 } else {
655 // stop modulating antenna 0.3ms
656 LOW(GPIO_SSC_DOUT);
657 WaitUS(300);
658 // modulate antenna 1.7ms
659 HIGH(GPIO_SSC_DOUT);
660 WaitUS(1700);
661 }
662 }
663 }
664
665 void AcquireTiType(void) {
666 int i, j, n;
667 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
668 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
669 #define TIBUFLEN 1250
670
671 // clear buffer
672 uint32_t *buf = (uint32_t *)BigBuf_get_addr();
673
674 //clear buffer now so it does not interfere with timing later
675 BigBuf_Clear_ext(false);
676
677 // Set up the synchronous serial port
678 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
679 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
680
681 // steal this pin from the SSP and use it to control the modulation
682 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
683 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
684
685 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
686 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
687
688 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
689 // 48/2 = 24 MHz clock must be divided by 12
690 AT91C_BASE_SSC->SSC_CMR = 12;
691
692 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
693 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
694 // Transmit Clock Mode Register
695 AT91C_BASE_SSC->SSC_TCMR = 0;
696 // Transmit Frame Mode Register
697 AT91C_BASE_SSC->SSC_TFMR = 0;
698 // iceman, FpgaSetupSsc(FPGA_MAJOR_MODE_LF_READER) ?? the code above? can it be replaced?
699 LED_D_ON();
700
701 // modulate antenna
702 HIGH(GPIO_SSC_DOUT);
703
704 // Charge TI tag for 50ms.
705 WaitMS(50);
706
707 // stop modulating antenna and listen
708 LOW(GPIO_SSC_DOUT);
709
710 LED_D_OFF();
711
712 i = 0;
713 for (;;) {
714 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
715 buf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
716 i++;
717 if (i >= TIBUFLEN) break;
718 }
719 WDT_HIT();
720 }
721
722 // return stolen pin to SSP
723 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
724 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
725
726 char *dest = (char *)BigBuf_get_addr();
727 n = TIBUFLEN * 32;
728
729 // unpack buffer
730 for (i = TIBUFLEN - 1; i >= 0; i--) {
731 for (j = 0; j < 32; j++) {
732 if (buf[i] & (1u << j)) {
733 dest[--n] = 1;
734 } else {
735 dest[--n] = -1;
736 }
737 }
738 }
739
740 // reset SSC
741 FpgaSetupSsc(FPGA_MAJOR_MODE_LF_READER);
742 }
743
744 // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
745 // if crc provided, it will be written with the data verbatim (even if bogus)
746 // if not provided a valid crc will be computed from the data and written.
747 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc) {
748 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
749 if (crc == 0) {
750 crc = update_crc16(crc, (idlo) & 0xff);
751 crc = update_crc16(crc, (idlo >> 8) & 0xff);
752 crc = update_crc16(crc, (idlo >> 16) & 0xff);
753 crc = update_crc16(crc, (idlo >> 24) & 0xff);
754 crc = update_crc16(crc, (idhi) & 0xff);
755 crc = update_crc16(crc, (idhi >> 8) & 0xff);
756 crc = update_crc16(crc, (idhi >> 16) & 0xff);
757 crc = update_crc16(crc, (idhi >> 24) & 0xff);
758 }
759 Dbprintf("Writing to tag: %x%08x, crc=%x", idhi, idlo, crc);
760
761 // TI tags charge at 134.2kHz
762 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_134); //~134kHz
763 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
764 // connects to SSP_DIN and the SSP_DOUT logic level controls
765 // whether we're modulating the antenna (high)
766 // or listening to the antenna (low)
767 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
768 StartTicks();
769
770 LED_A_ON();
771
772 // steal this pin from the SSP and use it to control the modulation
773 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
774 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
775
776 // writing algorithm:
777 // a high bit consists of a field off for 1ms and field on for 1ms
778 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
779 // initiate a charge time of 50ms (field on) then immediately start writing bits
780 // start by writing 0xBB (keyword) and 0xEB (password)
781 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
782 // finally end with 0x0300 (write frame)
783 // all data is sent lsb first
784 // finish with 50ms programming time
785
786 // modulate antenna
787 HIGH(GPIO_SSC_DOUT);
788 WaitMS(50); // charge time
789
790 WriteTIbyte(0xbb); // keyword
791 WriteTIbyte(0xeb); // password
792 WriteTIbyte((idlo) & 0xff);
793 WriteTIbyte((idlo >> 8) & 0xff);
794 WriteTIbyte((idlo >> 16) & 0xff);
795 WriteTIbyte((idlo >> 24) & 0xff);
796 WriteTIbyte((idhi) & 0xff);
797 WriteTIbyte((idhi >> 8) & 0xff);
798 WriteTIbyte((idhi >> 16) & 0xff);
799 WriteTIbyte((idhi >> 24) & 0xff); // data hi to lo
800 WriteTIbyte((crc) & 0xff); // crc lo
801 WriteTIbyte((crc >> 8) & 0xff); // crc hi
802 WriteTIbyte(0x00); // write frame lo
803 WriteTIbyte(0x03); // write frame hi
804 HIGH(GPIO_SSC_DOUT);
805 WaitMS(50); // programming time
806
807 LED_A_OFF();
808
809 // get TI tag data into the buffer
810 AcquireTiType();
811
812 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
813 DbpString("Now use `lf ti reader` to check");
814 StopTicks();
815 }
816
817 // note: a call to FpgaDownloadAndGo(FPGA_BITSTREAM_LF) must be done before, but
818 // this may destroy the bigbuf so be sure this is called before calling SimulateTagLowFrequencyEx
819 void SimulateTagLowFrequencyEx(int period, int gap, bool ledcontrol, int numcycles) {
820
821 // start us timer
822 StartTicks();
823
824 //FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_TOGGLE_MODE );
825 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
826 WaitMS(20);
827
828 int i = 0, x = 0;
829 uint8_t *buf = BigBuf_get_addr();
830
831 // set frequency, get values from 'lf config' command
832 sample_config *sc = getSamplingConfig();
833
834 if ((sc->divisor == 1) || (sc->divisor < 0) || (sc->divisor > 255))
835 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_134); //~134kHz
836 else if (sc->divisor == 0)
837 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125); //125kHz
838 else
839 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
840
841 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
842 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
843 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
844
845 uint16_t check = 0;
846
847 for (;;) {
848
849 if (numcycles > -1) {
850 if (x != numcycles) {
851 ++x;
852 } else {
853 // exit without turning off field
854 return;
855 }
856 }
857
858 if (ledcontrol) LED_D_ON();
859
860 // wait until SSC_CLK goes HIGH
861 // used as a simple detection of a reader field?
862 while (!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
863 WDT_HIT();
864 if (check == 1000) {
865 if (data_available() || BUTTON_PRESS())
866 goto OUT;
867 check = 0;
868 }
869 ++check;
870 }
871
872 if (ledcontrol) LED_D_OFF();
873
874 if (buf[i])
875 OPEN_COIL();
876 else
877 SHORT_COIL();
878
879 check = 0;
880
881 //wait until SSC_CLK goes LOW
882 while (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
883 WDT_HIT();
884 if (check == 2000) {
885 if (BUTTON_PRESS() || data_available())
886 goto OUT;
887 check = 0;
888 }
889 ++check;
890 }
891
892 i++;
893 if (i == period) {
894 i = 0;
895 if (gap) {
896 SHORT_COIL();
897 WaitUS(gap);
898 }
899 }
900 }
901 OUT:
902 StopTicks();
903 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
904 LED_D_OFF();
905 }
906
907 void SimulateTagLowFrequency(int period, int gap, bool ledcontrol) {
908 SimulateTagLowFrequencyEx(period, gap, ledcontrol, -1);
909 }
910
911
912 #define DEBUG_FRAME_CONTENTS 1
913 void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen) {
914 }
915
916 // compose fc/X fc/Y waveform (FSKx)
917 static void fcAll(uint8_t fc, int *n, uint8_t clock, int16_t *remainder) {
918 uint8_t *dest = BigBuf_get_addr();
919 uint8_t halfFC = fc >> 1;
920 uint8_t wavesPerClock = (clock + *remainder) / fc;
921 // loop through clock - step field clock
922 for (uint8_t idx = 0; idx < wavesPerClock; idx++) {
923 // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave)
924 memset(dest + (*n), 0, fc - halfFC); //in case of odd number use extra here
925 memset(dest + (*n) + (fc - halfFC), 1, halfFC);
926 *n += fc;
927 }
928 *remainder = (clock + *remainder) % fc;
929 // if we've room for more than a half wave, add a full wave and use negative remainder
930 if (*remainder > halfFC) {
931 memset(dest + (*n), 0, fc - halfFC); //in case of odd number use extra here
932 memset(dest + (*n) + (fc - halfFC), 1, halfFC);
933 *n += fc;
934 *remainder -= fc;
935 }
936 }
937
938 // prepare a waveform pattern in the buffer based on the ID given then
939 // simulate a HID tag until the button is pressed
940 void CmdHIDsimTAGEx(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol, int numcycles) {
941
942 /*
943 HID tag bitstream format
944 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
945 A 1 bit is represented as 6 fc8 and 5 fc10 patterns (manchester 10) during 2 clock periods. (1bit = 1clock period)
946 A 0 bit is represented as 5 fc10 and 6 fc8 patterns (manchester 01)
947 A fc8 is inserted before every 4 bits
948 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
949 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
950
951 FSK2a
952 bit 1 = fc10
953 bit 0 = fc8
954 */
955
956 // special start of frame marker containing invalid Manchester bit sequences
957 uint8_t bits[8 + 8 * 2 + 84 * 2] = { 0, 0, 0, 1, 1, 1, 0, 1 };
958 uint8_t bitlen = 0;
959 uint16_t n = 8;
960
961 if (longFMT) {
962 // Ensure no more than 84 bits supplied
963 if (hi2 > 0xFFFFF) {
964 DbpString("Tags can only have 84 bits.");
965 return;
966 }
967 bitlen = 8 + 8 * 2 + 84 * 2;
968 hi2 |= 0x9E00000; // 9E: long format identifier
969 manchesterEncodeUint32(hi2, 16 + 12, bits, &n);
970 manchesterEncodeUint32(hi, 32, bits, &n);
971 manchesterEncodeUint32(lo, 32, bits, &n);
972 } else {
973
974 if (hi > 0xFFF) {
975 DbpString("[!] tags can only have 44 bits. - USE lf simfsk for larger tags");
976 return;
977 }
978 bitlen = 8 + 44 * 2;
979 manchesterEncodeUint32(hi, 12, bits, &n);
980 manchesterEncodeUint32(lo, 32, bits, &n);
981 }
982 CmdFSKsimTAGEx(10, 8, 0, 50, bitlen, bits, ledcontrol, numcycles);
983 }
984
985 void CmdHIDsimTAG(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol) {
986 CmdHIDsimTAGEx(hi2, hi, lo, longFMT, ledcontrol, -1);
987 reply_ng(CMD_LF_HID_SIMULATE, PM3_EOPABORTED, NULL, 0);
988 }
989
990 // prepare a waveform pattern in the buffer based on the ID given then
991 // simulate a FSK tag until the button is pressed
992 // arg1 contains fcHigh and fcLow, arg2 contains STT marker and clock
993 void CmdFSKsimTAGEx(uint8_t fchigh, uint8_t fclow, uint8_t separator, uint8_t clk, uint16_t bitslen, uint8_t *bits, bool ledcontrol, int numcycles) {
994
995 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
996
997 // free eventually allocated BigBuf memory
998 BigBuf_free();
999 BigBuf_Clear_ext(false);
1000 clear_trace();
1001 set_tracing(false);
1002
1003 int n = 0, i = 0;
1004 int16_t remainder = 0;
1005
1006 if (separator) {
1007 //int fsktype = ( fchigh == 8 && fclow == 5) ? 1 : 2;
1008 //fcSTT(&n);
1009 }
1010 for (i = 0; i < bitslen; i++) {
1011 if (bits[i])
1012 fcAll(fchigh, &n, clk, &remainder);
1013 else
1014 fcAll(fclow, &n, clk, &remainder);
1015 }
1016
1017 WDT_HIT();
1018
1019 Dbprintf("FSK simulating with rf/%d, fc high %d, fc low %d, STT %d, n %d", clk, fchigh, fclow, separator, n);
1020
1021 if (ledcontrol) LED_A_ON();
1022 SimulateTagLowFrequencyEx(n, 0, ledcontrol, numcycles);
1023 if (ledcontrol) LED_A_OFF();
1024 }
1025
1026 // prepare a waveform pattern in the buffer based on the ID given then
1027 // simulate a FSK tag until the button is pressed
1028 // arg1 contains fcHigh and fcLow, arg2 contains STT marker and clock
1029 void CmdFSKsimTAG(uint8_t fchigh, uint8_t fclow, uint8_t separator, uint8_t clk, uint16_t bitslen, uint8_t *bits, bool ledcontrol) {
1030 CmdFSKsimTAGEx(fchigh, fclow, separator, clk, bitslen, bits, ledcontrol, -1);
1031 reply_ng(CMD_LF_FSK_SIMULATE, PM3_EOPABORTED, NULL, 0);
1032 }
1033
1034 // compose ask waveform for one bit(ASK)
1035 static void askSimBit(uint8_t c, int *n, uint8_t clock, uint8_t manchester) {
1036 uint8_t *dest = BigBuf_get_addr();
1037 uint8_t halfClk = clock / 2;
1038 // c = current bit 1 or 0
1039 if (manchester == 1) {
1040 memset(dest + (*n), c, halfClk);
1041 memset(dest + (*n) + halfClk, c ^ 1, halfClk);
1042 } else {
1043 memset(dest + (*n), c, clock);
1044 }
1045 *n += clock;
1046 }
1047
1048 static void biphaseSimBit(uint8_t c, int *n, uint8_t clock, uint8_t *phase) {
1049 uint8_t *dest = BigBuf_get_addr();
1050 uint8_t halfClk = clock / 2;
1051 if (c) {
1052 memset(dest + (*n), c ^ 1 ^ *phase, halfClk);
1053 memset(dest + (*n) + halfClk, c ^ *phase, halfClk);
1054 } else {
1055 memset(dest + (*n), c ^ *phase, clock);
1056 *phase ^= 1;
1057 }
1058 *n += clock;
1059 }
1060
1061 static void stAskSimBit(int *n, uint8_t clock) {
1062 uint8_t *dest = BigBuf_get_addr();
1063 uint8_t halfClk = clock / 2;
1064 //ST = .5 high .5 low 1.5 high .5 low 1 high
1065 memset(dest + (*n), 1, halfClk);
1066 memset(dest + (*n) + halfClk, 0, halfClk);
1067 memset(dest + (*n) + clock, 1, clock + halfClk);
1068 memset(dest + (*n) + clock * 2 + halfClk, 0, halfClk);
1069 memset(dest + (*n) + clock * 3, 1, clock);
1070 *n += clock * 4;
1071 }
1072 static void leadingZeroAskSimBits(int *n, uint8_t clock) {
1073 uint8_t *dest = BigBuf_get_addr();
1074 memset(dest + (*n), 0, clock * 8);
1075 *n += clock * 8;
1076 }
1077 /*
1078 static void leadingZeroBiphaseSimBits(int *n, uint8_t clock, uint8_t *phase) {
1079 uint8_t *dest = BigBuf_get_addr();
1080 for (uint8_t i = 0; i < 8; i++) {
1081 memset(dest + (*n), 0 ^ *phase, clock);
1082 *phase ^= 1;
1083 *n += clock;
1084 }
1085 }
1086 */
1087
1088
1089 // args clock, ask/man or askraw, invert, transmission separator
1090 void CmdASKsimTAG(uint8_t encoding, uint8_t invert, uint8_t separator, uint8_t clk, uint16_t size, uint8_t *bits, bool ledcontrol) {
1091 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1092 set_tracing(false);
1093
1094 int n = 0, i = 0;
1095
1096 if (encoding == 2) { //biphase
1097 uint8_t phase = 0;
1098
1099 // iceman, if I add this, the demod includes these extra zero and detection fails.
1100 // now, I only need to figure out just to add carrier without modulation
1101 // the old bug, with adding ask zeros messed up the phase variable and deteion failed because of it in LF FDX
1102 // leadingZeroBiphaseSimBits(&n, clk, &phase);
1103
1104 for (i = 0; i < size; i++) {
1105 biphaseSimBit(bits[i] ^ invert, &n, clk, &phase);
1106 }
1107 if (phase == 1) { //run a second set inverted to keep phase in check
1108 for (i = 0; i < size; i++) {
1109 biphaseSimBit(bits[i] ^ invert, &n, clk, &phase);
1110 }
1111 }
1112 } else { // ask/manchester || ask/raw
1113
1114 leadingZeroAskSimBits(&n, clk);
1115
1116 for (i = 0; i < size; i++) {
1117 askSimBit(bits[i] ^ invert, &n, clk, encoding);
1118 }
1119 if (encoding == 0 && bits[0] == bits[size - 1]) { //run a second set inverted (for ask/raw || biphase phase)
1120 for (i = 0; i < size; i++) {
1121 askSimBit(bits[i] ^ invert ^ 1, &n, clk, encoding);
1122 }
1123 }
1124 }
1125 if (separator == 1 && encoding == 1)
1126 stAskSimBit(&n, clk);
1127 else if (separator == 1)
1128 Dbprintf("sorry but separator option not yet available");
1129
1130 WDT_HIT();
1131
1132 Dbprintf("ASK simulating with rf/%d, invert %d, encoding %s (%d), separator %d, n %d"
1133 , clk
1134 , invert
1135 , (encoding == 2) ? "ASK/BI" : (encoding == 1) ? "ASK/MAN" : "RAW/MAN"
1136 , encoding
1137 , separator
1138 , n
1139 );
1140
1141 if (ledcontrol) LED_A_ON();
1142 SimulateTagLowFrequency(n, 0, ledcontrol);
1143 if (ledcontrol) LED_A_OFF();
1144 reply_ng(CMD_LF_ASK_SIMULATE, PM3_EOPABORTED, NULL, 0);
1145 }
1146
1147 //carrier can be 2,4 or 8
1148 static void pskSimBit(uint8_t waveLen, int *n, uint8_t clk, uint8_t *curPhase, bool phaseChg) {
1149 uint8_t *dest = BigBuf_get_addr();
1150 uint8_t halfWave = waveLen / 2;
1151 //uint8_t idx;
1152 int i = 0;
1153 if (phaseChg) {
1154 // write phase change
1155 memset(dest + (*n), *curPhase ^ 1, halfWave);
1156 memset(dest + (*n) + halfWave, *curPhase, halfWave);
1157 *n += waveLen;
1158 *curPhase ^= 1;
1159 i += waveLen;
1160 }
1161 //write each normal clock wave for the clock duration
1162 for (; i < clk; i += waveLen) {
1163 memset(dest + (*n), *curPhase, halfWave);
1164 memset(dest + (*n) + halfWave, *curPhase ^ 1, halfWave);
1165 *n += waveLen;
1166 }
1167 }
1168
1169 // args clock, carrier, invert,
1170 void CmdPSKsimTAG(uint8_t carrier, uint8_t invert, uint8_t clk, uint16_t size, uint8_t *bits, bool ledcontrol) {
1171 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1172 set_tracing(false);
1173
1174 int n = 0, i = 0;
1175 uint8_t curPhase = 0;
1176 for (i = 0; i < size; i++) {
1177 if (bits[i] == curPhase) {
1178 pskSimBit(carrier, &n, clk, &curPhase, false);
1179 } else {
1180 pskSimBit(carrier, &n, clk, &curPhase, true);
1181 }
1182 }
1183
1184 WDT_HIT();
1185
1186 Dbprintf("PSK simulating with rf/%d, fc/%d, invert %d, n %d", clk, carrier, invert, n);
1187
1188 if (ledcontrol) LED_A_ON();
1189 SimulateTagLowFrequency(n, 0, ledcontrol);
1190 if (ledcontrol) LED_A_OFF();
1191 reply_ng(CMD_LF_PSK_SIMULATE, PM3_EOPABORTED, NULL, 0);
1192 }
1193
1194 // compose nrz waveform for one bit(NRZ)
1195 static void nrzSimBit(uint8_t c, int *n, uint8_t clock) {
1196 uint8_t *dest = BigBuf_get_addr();
1197 // uint8_t halfClk = clock / 2;
1198 // c = current bit 1 or 0
1199 memset(dest + (*n), c, clock);
1200 *n += clock;
1201 }
1202
1203 // args clock,
1204 void CmdNRZsimTAG(uint8_t invert, uint8_t separator, uint8_t clk, uint16_t size, uint8_t *bits, bool ledcontrol) {
1205
1206 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1207 set_tracing(false);
1208
1209 int n = 0, i = 0;
1210
1211 // NRZ
1212
1213 leadingZeroAskSimBits(&n, clk);
1214
1215 for (i = 0; i < size; i++) {
1216 nrzSimBit(bits[i] ^ invert, &n, clk);
1217 }
1218
1219 if (bits[0] == bits[size - 1]) {
1220 for (i = 0; i < size; i++) {
1221 nrzSimBit(bits[i] ^ invert ^ 1, &n, clk);
1222 }
1223 }
1224
1225 if (separator == 1)
1226 Dbprintf("sorry but separator option not yet available");
1227
1228 WDT_HIT();
1229
1230 Dbprintf("NRZ simulating with rf/%d, invert %d, separator %d, n %d"
1231 , clk
1232 , invert
1233 , separator
1234 , n
1235 );
1236
1237 if (ledcontrol) LED_A_ON();
1238 SimulateTagLowFrequency(n, 0, ledcontrol);
1239 if (ledcontrol) LED_A_OFF();
1240 reply_ng(CMD_LF_NRZ_SIMULATE, PM3_EOPABORTED, NULL, 0);
1241 }
1242
1243 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
1244 int lf_hid_watch(int findone, uint32_t *high, uint32_t *low) {
1245
1246 size_t size;
1247 uint32_t hi2 = 0, hi = 0, lo = 0;
1248 int dummyIdx = 0;
1249 // Configure to go in 125kHz listen mode
1250 LFSetupFPGAForADC(LF_DIVISOR_125, true);
1251
1252 uint8_t *dest = BigBuf_get_addr();
1253 BigBuf_Clear_keep_EM();
1254 clear_trace();
1255 set_tracing(false);
1256
1257 //clear read buffer
1258 BigBuf_Clear_keep_EM();
1259
1260 int res = PM3_SUCCESS;
1261 for (;;) {
1262
1263 WDT_HIT();
1264
1265 if (data_available() || BUTTON_PRESS()) {
1266 res = PM3_EOPABORTED;
1267 break;
1268 }
1269
1270 DoAcquisition_default(-1, false);
1271
1272 // FSK demodulator
1273 // 50 * 128 * 2 - big enough to catch 2 sequences of largest format
1274 size = MIN(12800, BigBuf_max_traceLen());
1275
1276 int idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo, &dummyIdx);
1277 if (idx < 0) continue;
1278
1279 if (idx > 0 && lo > 0 && (size == 96 || size == 192)) {
1280 // go over previously decoded manchester data and decode into usable tag ID
1281 if (hi2 != 0) { //extra large HID tags 88/192 bits
1282 Dbprintf("TAG ID: " _GREEN_("%x%08x%08x") " (%d)",
1283 hi2,
1284 hi,
1285 lo,
1286 (lo >> 1) & 0xFFFF
1287 );
1288 } else { //standard HID tags 44/96 bits
1289 uint8_t bitlen = 0;
1290 uint32_t fac = 0;
1291 uint32_t cardnum = 0;
1292
1293 if (((hi >> 5) & 1) == 1) { //if bit 38 is set then < 37 bit format is used
1294 uint32_t lo2 = 0;
1295 lo2 = (((hi & 31) << 12) | (lo >> 20)); //get bits 21-37 to check for format len bit
1296 uint8_t idx3 = 1;
1297 while (lo2 > 1) { //find last bit set to 1 (format len bit)
1298 lo2 >>= 1;
1299 idx3++;
1300 }
1301 bitlen = idx3 + 19;
1302 fac = 0;
1303 cardnum = 0;
1304 if (bitlen == 26) {
1305 cardnum = (lo >> 1) & 0xFFFF;
1306 fac = (lo >> 17) & 0xFF;
1307 }
1308 if (bitlen == 37) {
1309 cardnum = (lo >> 1) & 0x7FFFF;
1310 fac = ((hi & 0xF) << 12) | (lo >> 20);
1311 }
1312 if (bitlen == 34) {
1313 cardnum = (lo >> 1) & 0xFFFF;
1314 fac = ((hi & 1) << 15) | (lo >> 17);
1315 }
1316 if (bitlen == 35) {
1317 cardnum = (lo >> 1) & 0xFFFFF;
1318 fac = ((hi & 1) << 11) | (lo >> 21);
1319 }
1320 } else { //if bit 38 is not set then 37 bit format is used
1321 bitlen = 37;
1322 cardnum = (lo >> 1) & 0x7FFFF;
1323 fac = ((hi & 0xF) << 12) | (lo >> 20);
1324 }
1325 Dbprintf("TAG ID: " _GREEN_("%x%08x (%d)") " - Format Len: " _GREEN_("%d") " bit - FC: " _GREEN_("%d") " - Card: "_GREEN_("%d"),
1326 hi,
1327 lo,
1328 (lo >> 1) & 0xFFFF,
1329 bitlen,
1330 fac,
1331 cardnum
1332 );
1333 }
1334 if (findone) {
1335 *high = hi;
1336 *low = lo;
1337 break;
1338 }
1339 // reset
1340 }
1341 hi2 = hi = lo = idx = 0;
1342 }
1343 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1344 BigBuf_free();
1345 LEDsoff();
1346 return res;
1347 }
1348
1349 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
1350 int lf_awid_watch(int findone, uint32_t *high, uint32_t *low) {
1351
1352 size_t size;
1353 int dummyIdx = 0;
1354
1355 uint8_t *dest = BigBuf_get_addr();
1356 BigBuf_Clear_keep_EM();
1357 clear_trace();
1358 set_tracing(false);
1359
1360 LFSetupFPGAForADC(LF_DIVISOR_125, true);
1361
1362 int res = PM3_SUCCESS;
1363 for (;;) {
1364
1365 WDT_HIT();
1366
1367 if (data_available() || BUTTON_PRESS()) {
1368 res = PM3_EOPABORTED;
1369 break;
1370 }
1371
1372 DoAcquisition_default(-1, false);
1373 // FSK demodulator
1374
1375 size = MIN(12800, BigBuf_max_traceLen());
1376
1377 //askdemod and manchester decode
1378 int idx = detectAWID(dest, &size, &dummyIdx);
1379
1380 if (idx <= 0 || size != 96) continue;
1381 // Index map
1382 // 0 10 20 30 40 50 60
1383 // | | | | | | |
1384 // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96
1385 // -----------------------------------------------------------------------------
1386 // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1
1387 // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96
1388 // |---26 bit---| |-----117----||-------------142-------------|
1389 // b = format bit len, o = odd parity of last 3 bits
1390 // f = facility code, c = card number
1391 // w = wiegand parity
1392 // (26 bit format shown)
1393
1394 //get raw ID before removing parities
1395 uint32_t rawLo = bytebits_to_byte(dest + idx + 64, 32);
1396 uint32_t rawHi = bytebits_to_byte(dest + idx + 32, 32);
1397 uint32_t rawHi2 = bytebits_to_byte(dest + idx, 32);
1398
1399 size = removeParity(dest, idx + 8, 4, 1, 88);
1400 if (size != 66) continue;
1401 // ok valid card found!
1402
1403 // Index map
1404 // 0 10 20 30 40 50 60
1405 // | | | | | | |
1406 // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456
1407 // -----------------------------------------------------------------------------
1408 // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000
1409 // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1410 // |26 bit| |-117--| |-----142------|
1411 // b = format bit len, o = odd parity of last 3 bits
1412 // f = facility code, c = card number
1413 // w = wiegand parity
1414 // (26 bit format shown)
1415
1416 uint8_t fmtLen = bytebits_to_byte(dest, 8);
1417 if (fmtLen == 26) {
1418 uint32_t fac = bytebits_to_byte(dest + 9, 8);
1419 uint32_t cardnum = bytebits_to_byte(dest + 17, 16);
1420 uint32_t code1 = bytebits_to_byte(dest + 8, fmtLen);
1421 Dbprintf("AWID Found - Bit length: " _GREEN_("%d") ", FC: " _GREEN_("%d") ", Card: " _GREEN_("%d") " - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fac, cardnum, code1, rawHi2, rawHi, rawLo);
1422 } else {
1423 uint32_t cardnum = bytebits_to_byte(dest + 8 + (fmtLen - 17), 16);
1424 if (fmtLen > 32) {
1425 uint32_t code1 = bytebits_to_byte(dest + 8, fmtLen - 32);
1426 uint32_t code2 = bytebits_to_byte(dest + 8 + (fmtLen - 32), 32);
1427 Dbprintf("AWID Found - Bit length: " _GREEN_("%d") " -unknown bit length- (%d) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo);
1428 } else {
1429 uint32_t code1 = bytebits_to_byte(dest + 8, fmtLen);
1430 Dbprintf("AWID Found - Bit length: " _GREEN_("%d") " -unknown bit length- (%d) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo);
1431 }
1432 }
1433 if (findone) {
1434 *high = rawHi;
1435 *low = rawLo;
1436 break;
1437 }
1438 }
1439
1440 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1441 BigBuf_free();
1442 LEDsoff();
1443 return res;
1444 }
1445
1446 int lf_em410x_watch(int findone, uint32_t *high, uint64_t *low) {
1447
1448 size_t size, idx = 0;
1449 int clk = 0, invert = 0, maxErr = 20;
1450 uint32_t hi = 0;
1451 uint64_t lo = 0;
1452
1453 uint8_t *dest = BigBuf_get_addr();
1454 clear_trace();
1455 set_tracing(false);
1456 BigBuf_Clear_keep_EM();
1457
1458 LFSetupFPGAForADC(LF_DIVISOR_125, true);
1459
1460 int res = PM3_SUCCESS;
1461 for (;;) {
1462 WDT_HIT();
1463
1464 if (data_available() || BUTTON_PRESS()) {
1465 res = PM3_EOPABORTED;
1466 break;
1467 }
1468
1469 DoAcquisition_default(-1, false);
1470
1471 size = MIN(16385, BigBuf_max_traceLen());
1472
1473 //askdemod and manchester decode
1474 int errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
1475 if (errCnt > 50) continue;
1476
1477 WDT_HIT();
1478
1479 errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo);
1480 if (errCnt == 1) {
1481 if (size == 128) {
1482 Dbprintf("EM XL TAG ID: " _GREEN_("%06x%08x%08x") " - ( %05d_%03d_%08d )",
1483 hi,
1484 (uint32_t)(lo >> 32),
1485 (uint32_t)lo,
1486 (uint32_t)(lo & 0xFFFF),
1487 (uint32_t)((lo >> 16LL) & 0xFF),
1488 (uint32_t)(lo & 0xFFFFFF));
1489 } else {
1490 Dbprintf("EM TAG ID: " _GREEN_("%02x%08x") " - ( %05d_%03d_%08d )",
1491 (uint32_t)(lo >> 32),
1492 (uint32_t)lo,
1493 (uint32_t)(lo & 0xFFFF),
1494 (uint32_t)((lo >> 16LL) & 0xFF),
1495 (uint32_t)(lo & 0xFFFFFF));
1496 }
1497
1498 if (findone) {
1499 *high = hi;
1500 *low = lo;
1501 break;
1502 }
1503 }
1504 hi = lo = size = idx = 0;
1505 clk = invert = 0;
1506 }
1507
1508 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1509 BigBuf_free();
1510 LEDsoff();
1511 return res;
1512 }
1513
1514 int lf_io_watch(int findone, uint32_t *high, uint32_t *low) {
1515
1516 int dummyIdx = 0;
1517 uint32_t code = 0, code2 = 0;
1518 uint8_t version = 0, facilitycode = 0;
1519 uint16_t number = 0;
1520
1521 uint8_t *dest = BigBuf_get_addr();
1522 BigBuf_Clear_keep_EM();
1523 clear_trace();
1524 set_tracing(false);
1525
1526 // Configure to go in 125kHz listen mode
1527 LFSetupFPGAForADC(LF_DIVISOR_125, true);
1528
1529 int res = PM3_SUCCESS;
1530 for (;;) {
1531
1532 WDT_HIT();
1533
1534 if (data_available() || BUTTON_PRESS()) {
1535 res = PM3_EOPABORTED;
1536 break;
1537 }
1538
1539 DoAcquisition_default(-1, false);
1540
1541 size_t size = MIN(12000, BigBuf_max_traceLen());
1542
1543 //fskdemod and get start index
1544 int idx = detectIOProx(dest, &size, &dummyIdx);
1545 if (idx < 0) continue;
1546 //valid tag found
1547
1548 //Index map
1549 //0 10 20 30 40 50 60
1550 //| | | | | | |
1551 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
1552 //-----------------------------------------------------------------------------
1553 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 checksum 11
1554 //
1555 //Checksum:
1556 //00000000 0 11110000 1 11100000 1 00000001 1 00000011 1 10110110 1 01110101 11
1557 //preamble F0 E0 01 03 B6 75
1558 // How to calc checksum,
1559 // http://www.proxmark.org/forum/viewtopic.php?id=364&p=6
1560 // F0 + E0 + 01 + 03 + B6 = 28A
1561 // 28A & FF = 8A
1562 // FF - 8A = 75
1563 // Checksum: 0x75
1564 //XSF(version)facility:codeone+codetwo
1565 //Handle the data
1566 // if(findone){ //only print binary if we are doing one
1567 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
1568 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
1569 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
1570 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
1571 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
1572 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
1573 // Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
1574 // }
1575 code = bytebits_to_byte(dest + idx, 32);
1576 code2 = bytebits_to_byte(dest + idx + 32, 32);
1577 version = bytebits_to_byte(dest + idx + 27, 8); //14,4
1578 facilitycode = bytebits_to_byte(dest + idx + 18, 8);
1579 number = (bytebits_to_byte(dest + idx + 36, 8) << 8) | (bytebits_to_byte(dest + idx + 45, 8)); //36,9
1580
1581 Dbprintf("IO Prox " _GREEN_("XSF(%02d)%02x:%05d") " (%08x%08x) (%s)", version, facilitycode, number, code, code2);
1582
1583 if (findone) {
1584 *high = code;
1585 *low = code2;
1586 break;
1587 }
1588 code = code2 = 0;
1589 version = facilitycode = 0;
1590 number = 0;
1591 }
1592 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1593 BigBuf_free();
1594 LEDsoff();
1595 return res;
1596 }
1597
1598 /*------------------------------
1599 * T5555/T5557/T5567/T5577 routines
1600 *------------------------------
1601 * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
1602 *
1603 * Relevant communication times in microsecond
1604 * To compensate antenna falling times shorten the write times
1605 * and enlarge the gap ones.
1606 * Q5 tags seems to have issues when these values changes.
1607 */
1608
1609 void TurnReadLFOn(uint32_t delay) {
1610 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER | FPGA_LF_ADC_READER_FIELD);
1611
1612 // measure antenna strength.
1613 //int adcval = ((MAX_ADC_LF_VOLTAGE * (SumAdc(ADC_CHAN_LF, 32) >> 1)) >> 14);
1614 WaitUS(delay);
1615 }
1616 static void TurnReadLF_off(uint32_t delay) {
1617 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1618 WaitUS(delay);
1619 }
1620
1621 // Macro for code readability
1622 #define BITSTREAM_BYTE(x) ((x) >> 3) // iceman note: isn't this NIBBLE???
1623 #define BITSTREAM_BIT(x) ((x) & 7)
1624
1625 #define T55_LLR_REF (136 * 8)
1626
1627 // Write one bit to chip
1628 static void T55xxWriteBit(uint8_t bit, uint8_t downlink_idx) {
1629
1630 switch (bit) {
1631 case 0 :
1632 // send bit 0/00
1633 TurnReadLFOn(T55xx_Timing.m[downlink_idx].write_0);
1634 break;
1635 case 1 :
1636 // send bit 1/01
1637 TurnReadLFOn(T55xx_Timing.m[downlink_idx].write_1);
1638 break;
1639 case 2 :
1640 // send bits 10 (1 of 4)
1641 TurnReadLFOn(T55xx_Timing.m[downlink_idx].write_2);
1642 break;
1643 case 3 :
1644 // send bits 11 (1 of 4)
1645 TurnReadLFOn(T55xx_Timing.m[downlink_idx].write_3);
1646 break;
1647 case 4 :
1648 // send Long Leading Reference
1649 TurnReadLFOn(T55xx_Timing.m[downlink_idx].write_0 + T55_LLR_REF);
1650 break;
1651 }
1652
1653 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1654 WaitUS(T55xx_Timing.m[downlink_idx].write_gap);
1655 }
1656
1657 // Function to abstract an Arbitrary length byte array to store bit pattern.
1658 // bit_array - Array to hold data/bit pattern
1659 // start_offset - bit location to start storing new bits.
1660 // data - upto 32 bits of data to store
1661 // num_bits - how many bits (low x bits of data) Max 32 bits at a time
1662 // max_len - how many bytes can the bit_array hold (ensure no buffer overflow)
1663 // returns "Next" bit offset / bits stored (for next store)
1664 static uint8_t T55xx_SetBits(uint8_t *bs, uint8_t start_offset, uint32_t data, uint8_t num_bits, uint8_t max_len) {
1665 int8_t next_offset = start_offset;
1666
1667 // Check if data will fit.
1668 if ((start_offset + num_bits) <= (max_len * 8)) {
1669 // Loop through the data and store
1670 for (int8_t offset = (num_bits - 1); offset >= 0; offset--) {
1671
1672 if ((data >> offset) & 1)
1673 bs[BITSTREAM_BYTE(next_offset)] |= (1 << BITSTREAM_BIT(next_offset)); // Set 1
1674 else
1675 bs[BITSTREAM_BYTE(next_offset)] &= (0xff ^ (1 << BITSTREAM_BIT(next_offset))); // Set 0
1676
1677 next_offset++;
1678 }
1679 } else {
1680 // Note: This should never happen unless some code changes cause it.
1681 // So short message for coders when testing.
1682 Dbprintf(_RED_("T55 too many bits"));
1683 }
1684 return next_offset;
1685 }
1686
1687 // Send one downlink command to the card
1688 static void T55xx_SendCMD(uint32_t data, uint32_t pwd, uint16_t arg) {
1689
1690 /*
1691 arg bits
1692 xxxx xxxxxxx1 0x001 password mode (Y/N)
1693 xxxx xxxxxx1x 0x002 page (0|1)
1694 xxxx xxxxx1xx 0x004 test mode (Y/N)
1695 xxxx xxx11xxx 0x018 selected downlink mode (0|1|2|3|)
1696 xxxx xx1xxxxx 0x020 !reg_readmode (ICEMAN ?? Why use negative in the bool ??)
1697 xxxx x1xxxxxx 0x040 called for a read, so no data packet (Y/N)
1698 xxxx 1xxxxxxx 0x080 reset (Y/N)
1699 xxx1 xxxxxxxx 0x100 brute force (Y/N)
1700 111x xxxxxxxx 0xE00 block to write (0-7)
1701 */
1702 bool t55_send_pwdmode = (arg & 0x1);
1703 bool t55_send_page = ((arg >> 1) & 0x1);
1704 bool t55_send_testmode = ((arg >> 2) & 0x1);
1705 bool t55_send_regreadmode = ((arg >> 5) & 0x1);
1706 bool t55_send_readcmd = ((arg >> 6) & 0x1);
1707 bool t55_send_reset = ((arg >> 7) & 0x1);
1708 bool t55_brute_mem = ((arg >> 8) & 0x1);
1709
1710 uint8_t downlink_mode = (arg >> 3) & 0x03;
1711 uint8_t block_no = (arg >> 9) & 0x07;
1712
1713 // no startup delay when in bruteforce command
1714 uint8_t start_wait = (t55_brute_mem) ? 0 : 4;
1715
1716 // Max Downlink Command size ~74 bits, so 10 bytes (80 bits)
1717 uint8_t bs[10];
1718 memset(bs, 0x00, sizeof(bs));
1719
1720 uint8_t len = 0;
1721
1722 // build bit stream to send.
1723
1724 // add Leading 0
1725 if (downlink_mode == T55XX_DLMODE_LEADING_ZERO)
1726 len = T55xx_SetBits(bs, len, 0, 1, sizeof(bs));
1727
1728 // add 1 of 4 reference bit
1729 if (downlink_mode == T55XX_DLMODE_1OF4) {
1730 len = T55xx_SetBits(bs, len, 0, 1, sizeof(bs));
1731 // add extra zero
1732 len = T55xx_SetBits(bs, len, 0, 1, sizeof(bs));
1733 }
1734
1735 // add Opcode
1736 if (t55_send_reset) {
1737 // reset : r*) 00
1738 len = T55xx_SetBits(bs, len, 0, 2, sizeof(bs));
1739 } else {
1740
1741 if (t55_send_testmode)
1742 Dbprintf(_YELLOW_("Using Test Mode"));
1743
1744 len = T55xx_SetBits(bs, len, t55_send_testmode ? 0 : 1, 1, sizeof(bs));
1745
1746 len = T55xx_SetBits(bs, len, t55_send_testmode ? 1 : t55_send_page, 1, sizeof(bs));
1747
1748 if (t55_send_pwdmode) {
1749 // Leading 0 and 1 of 4 00 fixed bits if passsword used
1750 if ((downlink_mode == T55XX_DLMODE_LEADING_ZERO) || (downlink_mode == T55XX_DLMODE_1OF4)) {
1751 len = T55xx_SetBits(bs, len, 0, 2, sizeof(bs));
1752 }
1753 len = T55xx_SetBits(bs, len, pwd, 32, sizeof(bs));
1754 }
1755
1756 // Add Lock bit 0
1757 if (t55_send_regreadmode == false)
1758 len = T55xx_SetBits(bs, len, 0, 1, sizeof(bs));
1759
1760 // Add Data if a write command
1761 if (t55_send_readcmd == false)
1762 len = T55xx_SetBits(bs, len, data, 32, sizeof(bs));
1763
1764 // Add Address
1765 if (t55_send_regreadmode == false)
1766 len = T55xx_SetBits(bs, len, block_no, 3, sizeof(bs));
1767 }
1768
1769 // Send Bits to T55xx
1770 // Set up FPGA, 125kHz
1771 LFSetupFPGAForADC(LF_DIVISOR_125, true);
1772
1773 // make sure tag is fully powered up...
1774 WaitMS(start_wait);
1775
1776 // Trigger T55x7 in mode.
1777 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1778 WaitUS(T55xx_Timing.m[downlink_mode].start_gap);
1779
1780 // If long leading 0 send long reference pulse
1781 if (downlink_mode == T55XX_DLMODE_LLR)
1782 T55xxWriteBit(T55XX_LONGLEADINGREFERENCE, downlink_mode);//Timing); // Send Long Leading Start Reference
1783
1784 uint8_t sendbits;
1785 if ((downlink_mode == T55XX_DLMODE_1OF4) && (len > 0)) { // 1 of 4 need to send 2 bits at a time
1786 for (uint8_t i = 0; i < len - 1; i += 2) {
1787 sendbits = (bs[BITSTREAM_BYTE(i)] >> (BITSTREAM_BIT(i)) & 1) << 1; // Bit i
1788 sendbits += (bs[BITSTREAM_BYTE(i + 1)] >> (BITSTREAM_BIT(i + 1)) & 1); // Bit i+1;
1789 T55xxWriteBit(sendbits & 3, downlink_mode);
1790 }
1791 } else {
1792 for (uint8_t i = 0; i < len; i++) {
1793 sendbits = (bs[BITSTREAM_BYTE(i)] >> BITSTREAM_BIT(i));
1794 T55xxWriteBit(sendbits & 1, downlink_mode);
1795 }
1796 }
1797 }
1798
1799 // Send T5577 reset command then read stream (see if we can identify the start of the stream)
1800 void T55xxResetRead(uint8_t flags) {
1801
1802 uint8_t downlink_mode = ((flags >> 3) & 3);
1803 uint8_t arg = 0x80 | downlink_mode;
1804
1805 LED_A_ON();
1806
1807 //clear buffer now so it does not interfere with timing later
1808 BigBuf_Clear_keep_EM();
1809
1810 T55xx_SendCMD(0, 0, arg);
1811
1812 TurnReadLFOn(T55xx_Timing.m[downlink_mode].read_gap);
1813
1814 // Acquisition
1815 DoPartialAcquisition(0, false, BigBuf_max_traceLen(), 0);
1816
1817 // Turn the field off
1818 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1819 reply_ng(CMD_LF_T55XX_RESET_READ, PM3_SUCCESS, NULL, 0);
1820 LED_A_OFF();
1821 }
1822
1823 void T55xxDangerousRawTest(uint8_t *data) {
1824 // supports only default downlink mode
1825 t55xx_test_block_t *c = (t55xx_test_block_t *)data;
1826
1827 uint8_t start_wait = 4;
1828 uint8_t bs[128 / 8];
1829 memset(bs, 0x00, sizeof(bs));
1830 uint8_t len = 0;
1831 if (c->bitlen == 0 || c->bitlen > 128 || c->time == 0)
1832 reply_ng(CMD_LF_T55XX_DANGERRAW, PM3_EINVARG, NULL, 0);
1833 for (uint8_t i = 0; i < c->bitlen; i++)
1834 len = T55xx_SetBits(bs, len, c->data[i], 1, sizeof(bs));
1835
1836 if (DBGLEVEL > 1) {
1837 Dbprintf("LEN %i, TIMING %i", len, c->time);
1838 for (uint8_t i = 0; i < len; i++) {
1839 uint8_t sendbits = (bs[BITSTREAM_BYTE(i)] >> BITSTREAM_BIT(i));
1840 Dbprintf("%02i: %i", i, sendbits & 1);
1841 }
1842 }
1843
1844 LED_A_ON();
1845 LFSetupFPGAForADC(LF_DIVISOR_125, true);
1846 // make sure tag is fully powered up...
1847 WaitMS(start_wait);
1848 // Trigger T55x7 in mode.
1849 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1850 WaitUS(T55xx_Timing.m[0].start_gap);
1851 uint8_t sendbits;
1852 for (uint8_t i = 0; i < len; i++) {
1853 sendbits = (bs[BITSTREAM_BYTE(i)] >> BITSTREAM_BIT(i));
1854 T55xxWriteBit(sendbits & 1, 0);
1855 }
1856 TurnReadLFOn(c->time);
1857 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1858 reply_ng(CMD_LF_T55XX_DANGERRAW, PM3_SUCCESS, NULL, 0);
1859 LED_A_OFF();
1860 }
1861
1862 // Write one card block in page 0, no lock
1863 //void T55xxWriteBlockExt(uint32_t data, uint8_t blockno, uint32_t pwd, uint8_t flags) {
1864 void T55xxWriteBlock(uint8_t *data) {
1865
1866 /*
1867 flag bits
1868 xxxxxxx1 0x01 PwdMode
1869 xxxxxx1x 0x02 Page
1870 xxxxx1xx 0x04 testMode
1871 xxx11xxx 0x18 downlink mode
1872 xx1xxxxx 0x20 !reg_readmode
1873 x1xxxxxx 0x40 called for a read, so no data packet
1874 1xxxxxxx 0x80 reset
1875 */
1876
1877 t55xx_write_block_t *c = (t55xx_write_block_t *)data;
1878 // c->data, c->blockno, c->pwd, c->flags
1879
1880 bool testMode = ((c->flags & 0x04) == 0x04);
1881
1882 c->flags &= (0xff ^ 0x40); // Called for a write, so ensure it is clear/0
1883
1884 LED_A_ON();
1885 T55xx_SendCMD(c->data, c->pwd, c->flags | (c->blockno << 9));
1886
1887 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1888 // so wait a little more)
1889
1890 // "there is a clock delay before programming"
1891 // - programming takes ~5.6ms for t5577 ~18ms for E5550 or t5567
1892 // so we should wait 1 clock + 5.6ms then read response?
1893 // but we need to know we are dealing with t5577 vs t5567 vs e5550 (or q5) marshmellow...
1894 if (testMode) {
1895 //TESTMODE TIMING TESTS:
1896 // <566us does nothing
1897 // 566-568 switches between wiping to 0s and doing nothing
1898 // 5184 wipes and allows 1 block to be programmed.
1899 // indefinite power on wipes and then programs all blocks with bitshifted data sent.
1900 TurnReadLFOn(5184);
1901
1902 } else {
1903 TurnReadLFOn(20 * 1000);
1904 //could attempt to do a read to confirm write took
1905 // as the tag should repeat back the new block
1906 // until it is reset, but to confirm it we would
1907 // need to know the current block 0 config mode for
1908 // modulation clock an other details to demod the response...
1909 // response should be (for t55x7) a 0 bit then (ST if on)
1910 // block data written in on repeat until reset.
1911
1912 //DoPartialAcquisition(20, false, 12000);
1913 }
1914 // turn field off
1915 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1916
1917 reply_ng(CMD_LF_T55XX_WRITEBL, PM3_SUCCESS, NULL, 0);
1918 LED_A_OFF();
1919 }
1920
1921 /*
1922 // uses NG format
1923 void T55xxWriteBlock(uint8_t *data) {
1924 t55xx_write_block_t *c = (t55xx_write_block_t *)data;
1925 T55xxWriteBlockExt(c->data, c->blockno, c->pwd, c->flags);
1926 // reply_ng(CMD_LF_T55XX_WRITEBL, PM3_SUCCESS, NULL, 0);
1927 }
1928 */
1929 /*
1930 // Read one card block in page [page]
1931 void T55xxReadBlockExt(uint16_t flags, uint8_t block, uint32_t pwd) {
1932 / *
1933 flag bits
1934 xxxx xxxxxxx1 0x0001 PwdMode
1935 xxxx xxxxxx1x 0x0002 Page
1936 xxxx xxxxx1xx 0x0004 testMode
1937 xxxx xxx11xxx 0x0018 downlink mode
1938 xxxx xx1xxxxx 0x0020 !reg_readmode
1939 xxxx x1xxxxxx 0x0040 called for a read, so no data packet
1940 xxxx 1xxxxxxx 0x0080 reset
1941 xxx1 xxxxxxxx 0x0100 brute / leave field on
1942 * /
1943 size_t samples = 12000;
1944 bool brute_mem = (flags & 0x0100) >> 8;
1945
1946 LED_A_ON();
1947
1948 if (brute_mem) samples = 1024;
1949
1950 // Set Read Flag to ensure SendCMD does not add "data" to the packet
1951 flags |= 0x40;
1952
1953 // RegRead Mode true block = 0xff, so read without an address
1954 if (block == 0xff) flags |= 0x20;
1955
1956 //make sure block is at max 7
1957 block &= 0x7;
1958
1959 //clear buffer now so it does not interfere with timing later
1960 BigBuf_Clear_keep_EM();
1961
1962 T55xx_SendCMD(0, pwd, flags | (block << 9)); //, true);
1963
1964 // Turn field on to read the response
1965 // 137*8 seems to get to the start of data pretty well...
1966 // but we want to go past the start and let the repeating data settle in...
1967
1968 // TurnReadLFOn(210*8); // issues with block 1 reads so dropping down seemed to help
1969 TurnReadLFOn(137 * 8);
1970
1971 // Acquisition
1972 // Now do the acquisition
1973 DoPartialAcquisition(0, false, samples, 0);
1974
1975 // Turn the field off
1976 if (!brute_mem) {
1977 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1978 reply_ng(CMD_LF_T55XX_READBL, PM3_SUCCESS, NULL, 0);
1979 LED_A_OFF();
1980 }
1981 }
1982 */
1983 // Read one card block in page [page]
1984 void T55xxReadBlock(uint8_t page, bool pwd_mode, bool brute_mem, uint8_t block, uint32_t pwd, uint8_t downlink_mode) {
1985 /*
1986 flag bits
1987 xxxx xxxxxxx1 0x0001 PwdMode
1988 xxxx xxxxxx1x 0x0002 Page
1989 xxxx xxxxx1xx 0x0004 testMode
1990 xxxx xxx11xxx 0x0018 downlink mode
1991 xxxx xx1xxxxx 0x0020 !reg_readmode
1992 xxxx x1xxxxxx 0x0040 called for a read, so no data packet
1993 xxxx 1xxxxxxx 0x0080 reset
1994 xxx1 xxxxxxxx 0x0100 brute / leave field on
1995 */
1996 uint16_t flags = 0x0040; // read packet
1997 if (pwd_mode) flags |= 0x0001;
1998 if (page) flags |= 0x0002;
1999 flags |= (downlink_mode & 3) << 3;
2000 if (brute_mem) flags |= 0x0100;
2001
2002
2003 size_t samples = 12000;
2004
2005 LED_A_ON();
2006
2007 if (brute_mem) samples = 2048;
2008
2009 //-- Set Read Flag to ensure SendCMD does not add "data" to the packet
2010 //-- flags |= 0x40;
2011
2012 // RegRead Mode true block = 0xff, so read without an address
2013 if (block == 0xff) flags |= 0x20;
2014
2015 //make sure block is at max 7
2016 block &= 0x7;
2017
2018 //clear buffer now so it does not interfere with timing later
2019 BigBuf_Clear_keep_EM();
2020
2021 T55xx_SendCMD(0, pwd, flags | (block << 9)); //, true);
2022
2023 // Turn field on to read the response
2024 // 137*8 seems to get to the start of data pretty well...
2025 // but we want to go past the start and let the repeating data settle in...
2026
2027 // TurnReadLFOn(210*8); // issues with block 1 reads so dropping down seemed to help
2028 TurnReadLFOn(137 * 8);
2029
2030 // Acquisition
2031 // Now do the acquisition
2032 DoPartialAcquisition(0, false, samples, 1000);
2033
2034 // Turn the field off
2035 if (brute_mem == false) {
2036 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2037 reply_ng(CMD_LF_T55XX_READBL, PM3_SUCCESS, NULL, 0);
2038 LED_A_OFF();
2039 }
2040 }
2041
2042
2043 void T55xx_ChkPwds(uint8_t flags) {
2044
2045 #define CHK_SAMPLES_SIGNAL 2048
2046
2047 #ifdef WITH_FLASH
2048 DbpString(_CYAN_("T55XX Check pwds using flashmemory starting"));
2049 #else
2050 DbpString(_CYAN_("T55XX Check pwds starting"));
2051 #endif
2052
2053 // First get baseline and setup LF mode.
2054 uint8_t *buf = BigBuf_get_addr();
2055 uint8_t downlink_mode = (flags >> 3) & 0x03;
2056 uint64_t b1, baseline_faulty = 0;
2057
2058 DbpString("Determine baseline...");
2059
2060 // collect baseline for failed attempt ( should give me block1 )
2061 uint8_t x = 32;
2062 while (x--) {
2063 b1 = 0;
2064 T55xxReadBlock(0, 0, true, 0, 0, downlink_mode);
2065 for (uint16_t j = 0; j < CHK_SAMPLES_SIGNAL; ++j) {
2066 b1 += (buf[j] * buf[j]);
2067 }
2068 b1 *= b1;
2069 b1 >>= 8;
2070 baseline_faulty += b1;
2071 }
2072 baseline_faulty >>= 5;
2073
2074 if (DBGLEVEL >= DBG_DEBUG)
2075 Dbprintf("Baseline " _YELLOW_("%llu"), baseline_faulty);
2076
2077 uint8_t *pwds = BigBuf_get_EM_addr();
2078 uint16_t pwd_count = 0;
2079
2080 struct p {
2081 bool found;
2082 uint32_t candidate;
2083 } PACKED payload;
2084
2085 payload.found = false;
2086 payload.candidate = 0;
2087
2088 #ifdef WITH_FLASH
2089
2090 BigBuf_Clear_EM();
2091 uint16_t isok = 0;
2092 uint8_t counter[2] = {0x00, 0x00};
2093 isok = Flash_ReadData(DEFAULT_T55XX_KEYS_OFFSET, counter, sizeof(counter));
2094 if (isok != sizeof(counter))
2095 goto OUT;
2096
2097 pwd_count = (uint16_t)(counter[1] << 8 | counter[0]);
2098 if (pwd_count == 0)
2099 goto OUT;
2100
2101 // since flash can report way too many pwds, we need to limit it.
2102 // bigbuff EM size is determined by CARD_MEMORY_SIZE
2103 // a password is 4bytes.
2104 uint16_t pwd_size_available = MIN(CARD_MEMORY_SIZE, pwd_count * 4);
2105
2106 // adjust available pwd_count
2107 pwd_count = pwd_size_available / 4;
2108
2109 isok = Flash_ReadData(DEFAULT_T55XX_KEYS_OFFSET + 2, pwds, pwd_size_available);
2110 if (isok != pwd_size_available)
2111 goto OUT;
2112
2113 Dbprintf("Password dictionary count " _YELLOW_("%d"), pwd_count);
2114
2115 #endif
2116
2117 uint64_t curr, prev = 0;
2118 int32_t idx = -1;
2119
2120 for (uint32_t i = 0; i < pwd_count; i++) {
2121
2122 uint32_t pwd = bytes_to_num(pwds + (i * 4), 4);
2123
2124 T55xxReadBlock(0, true, true, 0, pwd, downlink_mode);
2125
2126 uint64_t sum = 0;
2127 for (uint16_t j = 0; j < CHK_SAMPLES_SIGNAL; ++j) {
2128 sum += (buf[j] * buf[j]);
2129 }
2130 sum *= sum;
2131 sum >>= 8;
2132
2133 int64_t tmp_dist = (baseline_faulty - sum);
2134 curr = ABS(tmp_dist);
2135
2136 if (DBGLEVEL >= DBG_DEBUG)
2137 Dbprintf("%08x has distance " _YELLOW_("%llu"), pwd, curr);
2138
2139 if (curr > prev) {
2140 idx = i;
2141 prev = curr;
2142 }
2143 }
2144
2145 if (idx != -1) {
2146 payload.found = true;
2147 payload.candidate = bytes_to_num(pwds + (idx * 4), 4);
2148 }
2149
2150 #ifdef WITH_FLASH
2151 OUT:
2152 #endif
2153
2154 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2155 LEDsoff();
2156 reply_ng(CMD_LF_T55XX_CHK_PWDS, PM3_SUCCESS, (uint8_t *)&payload, sizeof(payload));
2157 BigBuf_free();
2158 }
2159
2160 void T55xxWakeUp(uint32_t pwd, uint8_t flags) {
2161
2162 flags |= 0x01 | 0x40 | 0x20; //Password | Read Call (no data) | reg_read no block
2163 LED_B_ON();
2164
2165 T55xx_SendCMD(0, pwd, flags);
2166
2167 //-- Turn and leave field on to let the begin repeating transmission
2168 TurnReadLFOn(20 * 1000);
2169 reply_ng(CMD_LF_T55XX_WAKEUP, PM3_SUCCESS, NULL, 0);
2170 }
2171
2172 /*-------------- Cloning routines -----------*/
2173 static void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
2174 t55xx_write_block_t cmd;
2175 cmd.pwd = 0;
2176 cmd.flags = 0;
2177
2178 for (uint8_t i = numblocks + startblock; i > startblock; i--) {
2179 cmd.data = blockdata[i - 1];
2180 cmd.blockno = i - 1;
2181 T55xxWriteBlock((uint8_t *)&cmd);
2182 }
2183 }
2184 /* disabled until verified.
2185 static void WriteEM4x05(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
2186 for (uint8_t i = numblocks + startblock; i > startblock; i--) {
2187 EM4xWriteWord(i - 1, blockdata[i - 1], 0, false);
2188 }
2189 }
2190 */
2191
2192
2193 // Copy HID id to card and setup block 0 config
2194 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool q5, bool em) {
2195 uint32_t data[] = {0, 0, 0, 0, 0, 0, 0};
2196 uint8_t last_block = 0;
2197
2198 if (longFMT) {
2199 // Ensure no more than 84 bits supplied
2200 if (hi2 > 0xFFFFF) {
2201 DbpString("Tags can only have 84 bits");
2202 return;
2203 }
2204 // Build the 6 data blocks for supplied 84bit ID
2205 last_block = 6;
2206 // load preamble (1D) & long format identifier (9E manchester encoded)
2207 data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
2208 // load raw id from hi2, hi, lo to data blocks (manchester encoded)
2209 data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
2210 data[3] = manchesterEncode2Bytes(hi >> 16);
2211 data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
2212 data[5] = manchesterEncode2Bytes(lo >> 16);
2213 data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
2214 } else {
2215 // Ensure no more than 44 bits supplied
2216 if (hi > 0xFFF) {
2217 DbpString("Tags can only have 44 bits, if you want more use long format");
2218 return;
2219 }
2220 // Build the 3 data blocks for supplied 44bit
2221 last_block = 3;
2222 // load preamble
2223 // 24 bits left. ie 12 bits of data, not 16..
2224 data[1] = 0x1D000000 | (manchesterEncode2Bytes(hi & 0xFFF) & 0xFFFFFF);
2225 data[2] = manchesterEncode2Bytes(lo >> 16);
2226 data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
2227 }
2228 // load chip config block
2229 data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
2230
2231 //TODO add selection of chip for Q5 or T55x7
2232 if (q5) {
2233 data[0] = T5555_SET_BITRATE(50) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
2234 } else if (em) {
2235 data[0] = (EM4x05_SET_BITRATE(50) | EM4x05_MODULATION_FSK2 | EM4x05_INVERT | EM4x05_SET_NUM_BLOCKS(last_block));
2236 }
2237
2238 LED_D_ON();
2239 if (em) {
2240 Dbprintf("Clone HID Prox to EM4x05 is untested and disabled until verified");
2241 if (DBGLEVEL == DBG_DEBUG) {
2242 Dbprintf("# | data ( EM4x05 )");
2243 Dbprintf("--+----------------");
2244 Dbprintf("0 | ", data[0]);
2245 Dbprintf("1 | ", data[1]);
2246 Dbprintf("2 | ", data[2]);
2247 Dbprintf("3 | ", data[3]);
2248 Dbprintf("--+----------------");
2249 }
2250 //WriteEM4x05(data, 0, last_block + 1);
2251 } else {
2252 WriteT55xx(data, 0, last_block + 1);
2253 }
2254 LED_D_OFF();
2255 reply_ng(CMD_LF_HID_CLONE, PM3_SUCCESS, NULL, 0);
2256 }
2257
2258 // clone viking tag to T55xx
2259 void CopyVikingtoT55xx(uint8_t *blocks, bool q5, bool em) {
2260
2261 uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), 0, 0};
2262 if (q5) {
2263 data[0] = T5555_SET_BITRATE(32) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
2264 } else if (em) {
2265 data[0] = (EM4x05_SET_BITRATE(32) | EM4x05_MODULATION_MANCHESTER | EM4x05_SET_NUM_BLOCKS(2));
2266 }
2267
2268 data[1] = bytes_to_num(blocks, 4);
2269 data[2] = bytes_to_num(blocks + 4, 4);
2270
2271 // Program the data blocks for supplied ID and the block 0 config
2272 if (em) {
2273 Dbprintf("Clone Viking to EM4x05 is untested and disabled until verified");
2274 //WriteEM4x05(data, 0, 3);
2275 } else {
2276 WriteT55xx(data, 0, 3);
2277 }
2278 LED_D_OFF();
2279 reply_ng(CMD_LF_VIKING_CLONE, PM3_SUCCESS, NULL, 0);
2280 }
2281
2282 int copy_em410x_to_t55xx(uint8_t card, uint8_t clock, uint32_t id_hi, uint32_t id_lo) {
2283
2284 // Define 9bit header for EM410x tags
2285 #define EM410X_HEADER 0x1FF
2286 #define EM410X_ID_LENGTH 40
2287
2288 uint32_t clockbits = 0;
2289 if (card == 1) { //t55x7
2290 clockbits = GetT55xxClockBit(clock);
2291 if (clockbits == 0) {
2292 Dbprintf("Invalid clock rate: %d", clock);
2293 return PM3_EINVARG;
2294 }
2295 }
2296
2297 int i;
2298 uint64_t id = EM410X_HEADER;
2299 uint64_t rev_id = 0; // reversed ID
2300 int c_parity[4]; // column parity
2301 int r_parity = 0; // row parity
2302
2303 // Reverse ID bits given as parameter (for simpler operations)
2304 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
2305 if (i < 32) {
2306 rev_id = (rev_id << 1) | (id_lo & 1);
2307 id_lo >>= 1;
2308 } else {
2309 rev_id = (rev_id << 1) | (id_hi & 1);
2310 id_hi >>= 1;
2311 }
2312 }
2313
2314 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
2315 int id_bit = rev_id & 1;
2316
2317 if (i % 4 == 0) {
2318 // Don't write row parity bit at start of parsing
2319 if (i)
2320 id = (id << 1) | r_parity;
2321 // Start counting parity for new row
2322 r_parity = id_bit;
2323 } else {
2324 // Count row parity
2325 r_parity ^= id_bit;
2326 }
2327
2328 // First elements in column?
2329 if (i < 4)
2330 // Fill out first elements
2331 c_parity[i] = id_bit;
2332 else
2333 // Count column parity
2334 c_parity[i % 4] ^= id_bit;
2335
2336 // Insert ID bit
2337 id = (id << 1) | id_bit;
2338 rev_id >>= 1;
2339 }
2340
2341 // Insert parity bit of last row
2342 id = (id << 1) | r_parity;
2343
2344 // Fill out column parity at the end of tag
2345 for (i = 0; i < 4; ++i)
2346 id = (id << 1) | c_parity[i];
2347
2348 // Add stop bit
2349 id <<= 1;
2350
2351 LED_D_ON();
2352
2353 // Write EM410x ID
2354 uint32_t data[] = {0, (uint32_t)(id >> 32), (uint32_t)(id & 0xFFFFFFFF)};
2355
2356 // default to 64
2357 clock = (clock == 0) ? 64 : clock;
2358 Dbprintf("Clock rate: %d", clock);
2359
2360 if (card == 1) { // T55x7
2361 data[0] = clockbits | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
2362 } else { // T5555 (Q5)
2363 data[0] = T5555_SET_BITRATE(clock) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
2364 }
2365
2366 WriteT55xx(data, 0, 3);
2367
2368 LEDsoff();
2369 Dbprintf("Tag %s written with 0x%08x%08x\n",
2370 card ? "T55x7" : "T5555",
2371 (uint32_t)(id >> 32),
2372 (uint32_t)id);
2373 return PM3_SUCCESS;
2374 }
2375
2376 //-----------------------------------
2377 // EM4469 / EM4305 routines
2378 //-----------------------------------
2379 // Below given command set.
2380 // Commands are including the even parity, binary mirrored
2381 #define FWD_CMD_LOGIN 0xC
2382 #define FWD_CMD_WRITE 0xA
2383 #define FWD_CMD_READ 0x9
2384 #define FWD_CMD_PROTECT 0x3
2385 #define FWD_CMD_DISABLE 0x5
2386
2387 static uint8_t forwardLink_data[64]; //array of forwarded bits
2388 static uint8_t *forward_ptr; //ptr for forward message preparation
2389 static uint8_t fwd_bit_sz; //forwardlink bit counter
2390 static uint8_t *fwd_write_ptr; //forwardlink bit pointer
2391
2392 //====================================================================
2393 // prepares command bits
2394 // see EM4469 spec
2395 //====================================================================
2396 //--------------------------------------------------------------------
2397 // VALUES TAKEN FROM EM4x function: SendForward
2398 // START_GAP = 440; (55*8) cycles at 125kHz (8us = 1cycle)
2399 // WRITE_GAP = 128; (16*8)
2400 // WRITE_1 = 256 32*8; (32*8)
2401
2402 // These timings work for 4469/4269/4305 (with the 55*8 above)
2403 // WRITE_0 = 23*8 , 9*8
2404
2405 static uint8_t Prepare_Cmd(uint8_t cmd) {
2406
2407 *forward_ptr++ = 0; //start bit
2408 *forward_ptr++ = 0; //second pause for 4050 code
2409
2410 *forward_ptr++ = cmd;
2411 cmd >>= 1;
2412 *forward_ptr++ = cmd;
2413 cmd >>= 1;
2414 *forward_ptr++ = cmd;
2415 cmd >>= 1;
2416 *forward_ptr++ = cmd;
2417
2418 return 6; //return number of emited bits
2419 }
2420
2421 //====================================================================
2422 // prepares address bits
2423 // see EM4469 spec
2424 //====================================================================
2425 static uint8_t Prepare_Addr(uint8_t addr) {
2426
2427 register uint8_t line_parity;
2428
2429 uint8_t i;
2430 line_parity = 0;
2431 for (i = 0; i < 6; i++) {
2432 *forward_ptr++ = addr;
2433 line_parity ^= addr;
2434 addr >>= 1;
2435 }
2436
2437 *forward_ptr++ = (line_parity & 1);
2438
2439 return 7; //return number of emited bits
2440 }
2441
2442 //====================================================================
2443 // prepares data bits intreleaved with parity bits
2444 // see EM4469 spec
2445 //====================================================================
2446 static uint8_t Prepare_Data(uint16_t data_low, uint16_t data_hi) {
2447
2448 register uint8_t column_parity;
2449 register uint8_t i, j;
2450 register uint16_t data;
2451
2452 data = data_low;
2453 column_parity = 0;
2454
2455 for (i = 0; i < 4; i++) {
2456 register uint8_t line_parity = 0;
2457 for (j = 0; j < 8; j++) {
2458 line_parity ^= data;
2459 column_parity ^= (data & 1) << j;
2460 *forward_ptr++ = data;
2461 data >>= 1;
2462 }
2463 *forward_ptr++ = line_parity;
2464 if (i == 1)
2465 data = data_hi;
2466 }
2467
2468 for (j = 0; j < 8; j++) {
2469 *forward_ptr++ = column_parity;
2470 column_parity >>= 1;
2471 }
2472 *forward_ptr = 0;
2473
2474 return 45; //return number of emited bits
2475 }
2476
2477 //====================================================================
2478 // Forward Link send function
2479 // Requires: forwarLink_data filled with valid bits (1 bit per byte)
2480 // fwd_bit_count set with number of bits to be sent
2481 //====================================================================
2482 static void SendForward(uint8_t fwd_bit_count, bool fast) {
2483
2484 // iceman, 21.3us increments for the USclock verification.
2485 // 55FC * 8us == 440us / 21.3 === 20.65 steps. could be too short. Go for 56FC instead
2486 // 32FC * 8us == 256us / 21.3 == 12.018 steps. ok
2487 // 16FC * 8us == 128us / 21.3 == 6.009 steps. ok
2488 #ifndef EM_START_GAP
2489 #define EM_START_GAP 55*8
2490 #endif
2491
2492 fwd_write_ptr = forwardLink_data;
2493 fwd_bit_sz = fwd_bit_count;
2494
2495 if (! fast) {
2496 // Set up FPGA, 125kHz or 95 divisor
2497 LFSetupFPGAForADC(LF_DIVISOR_125, true);
2498 }
2499 // force 1st mod pulse (start gap must be longer for 4305)
2500 fwd_bit_sz--; //prepare next bit modulation
2501 fwd_write_ptr++;
2502
2503 TurnReadLF_off(EM_START_GAP);
2504 TurnReadLFOn(18 * 8);
2505
2506 // now start writing with bitbanging the antenna. (each bit should be 32*8 total length)
2507 while (fwd_bit_sz-- > 0) { //prepare next bit modulation
2508 if (((*fwd_write_ptr++) & 1) == 1) {
2509 WaitUS(32 * 8);
2510 } else {
2511 TurnReadLF_off(23 * 8);
2512 TurnReadLFOn(18 * 8);
2513 }
2514 }
2515 }
2516
2517 static void EM4xLoginEx(uint32_t pwd) {
2518 forward_ptr = forwardLink_data;
2519 uint8_t len = Prepare_Cmd(FWD_CMD_LOGIN);
2520 len += Prepare_Data(pwd & 0xFFFF, pwd >> 16);
2521 SendForward(len, false);
2522 //WaitUS(20); // no wait for login command.
2523 // should receive
2524 // 0000 1010 ok
2525 // 0000 0001 fail
2526 }
2527
2528 void EM4xBruteforce(uint32_t start_pwd, uint32_t n) {
2529 // With current timing, 18.6 ms per test = 53.8 pwds/s
2530 reply_ng(CMD_LF_EM4X_BF, PM3_SUCCESS, NULL, 0);
2531 StartTicks();
2532 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2533 WaitMS(20);
2534 LED_A_ON();
2535 LFSetupFPGAForADC(LF_DIVISOR_125, true);
2536 uint32_t candidates_found = 0;
2537 for (uint32_t pwd = start_pwd; pwd < 0xFFFFFFFF; pwd++) {
2538 if (((pwd - start_pwd) & 0x3F) == 0x00) {
2539 WDT_HIT();
2540 if (BUTTON_PRESS() || data_available()) {
2541 Dbprintf("EM4x05 Bruteforce Interrupted");
2542 break;
2543 }
2544 }
2545 // Report progress every 256 attempts
2546 if (((pwd - start_pwd) & 0xFF) == 0x00) {
2547 Dbprintf("Trying: %06Xxx", pwd >> 8);
2548 }
2549 clear_trace();
2550
2551 forward_ptr = forwardLink_data;
2552 uint8_t len = Prepare_Cmd(FWD_CMD_LOGIN);
2553 len += Prepare_Data(pwd & 0xFFFF, pwd >> 16);
2554 SendForward(len, true);
2555
2556 WaitUS(400);
2557 DoPartialAcquisition(0, false, 350, 1000);
2558 uint8_t *mem = BigBuf_get_addr();
2559 if (mem[334] < 128) {
2560 candidates_found++;
2561 Dbprintf("Password candidate: " _GREEN_("%08X"), pwd);
2562 if ((n != 0) && (candidates_found == n)) {
2563 Dbprintf("EM4x05 Bruteforce Stopped. %i candidate%s found", candidates_found, candidates_found > 1 ? "s" : "");
2564 break;
2565 }
2566 }
2567 // Beware: if smaller, tag might not have time to be back in listening state yet
2568 WaitMS(1);
2569 }
2570 StopTicks();
2571 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2572 LEDsoff();
2573 }
2574
2575 void EM4xLogin(uint32_t pwd) {
2576
2577 StartTicks();
2578 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2579 WaitMS(20);
2580
2581 LED_A_ON();
2582
2583 // clear buffer now so it does not interfere with timing later
2584 BigBuf_Clear_ext(false);
2585
2586 EM4xLoginEx(pwd);
2587
2588 WaitUS(400);
2589 // We need to acquire more than needed, to help demodulators finding the proper modulation
2590 DoPartialAcquisition(0, false, 6000, 1000);
2591
2592 StopTicks();
2593 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2594 reply_ng(CMD_LF_EM4X_LOGIN, PM3_SUCCESS, NULL, 0);
2595 LEDsoff();
2596 }
2597
2598 void EM4xReadWord(uint8_t addr, uint32_t pwd, uint8_t usepwd) {
2599
2600 StartTicks();
2601 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2602 WaitMS(20);
2603
2604 LED_A_ON();
2605
2606 // clear buffer now so it does not interfere with timing later
2607 BigBuf_Clear_ext(false);
2608
2609 /* should we read answer from Logincommand?
2610 *
2611 * should receive
2612 * 0000 1010 ok
2613 * 0000 0001 fail
2614 **/
2615 if (usepwd) EM4xLoginEx(pwd);
2616
2617 forward_ptr = forwardLink_data;
2618 uint8_t len = Prepare_Cmd(FWD_CMD_READ);
2619 len += Prepare_Addr(addr);
2620
2621 SendForward(len, false);
2622
2623 WaitUS(400);
2624
2625 DoPartialAcquisition(0, false, 6000, 1000);
2626
2627 StopTicks();
2628 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2629 reply_ng(CMD_LF_EM4X_READWORD, PM3_SUCCESS, NULL, 0);
2630 LEDsoff();
2631 }
2632
2633 void EM4xWriteWord(uint8_t addr, uint32_t data, uint32_t pwd, uint8_t usepwd) {
2634
2635 StartTicks();
2636 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2637 WaitMS(50);
2638
2639 LED_A_ON();
2640
2641 // clear buffer now so it does not interfere with timing later
2642 BigBuf_Clear_ext(false);
2643
2644 /* should we read answer from Logincommand?
2645 *
2646 * should receive
2647 * 0000 1010 ok.
2648 * 0000 0001 fail
2649 **/
2650 if (usepwd) EM4xLoginEx(pwd);
2651
2652 forward_ptr = forwardLink_data;
2653 uint8_t len = Prepare_Cmd(FWD_CMD_WRITE);
2654 len += Prepare_Addr(addr);
2655 len += Prepare_Data(data & 0xFFFF, data >> 16);
2656
2657 SendForward(len, false);
2658
2659 if (tearoff_hook() == PM3_ETEAROFF) { // tearoff occurred
2660 StopTicks();
2661 reply_ng(CMD_LF_EM4X_WRITEWORD, PM3_ETEAROFF, NULL, 0);
2662 } else {
2663 // Wait 20ms for write to complete?
2664 // No, when write is denied, err preamble comes much sooner
2665 //WaitUS(10820); // tPC+tWEE
2666
2667 DoPartialAcquisition(0, false, 6000, 1000);
2668
2669 StopTicks();
2670 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2671 reply_ng(CMD_LF_EM4X_WRITEWORD, PM3_SUCCESS, NULL, 0);
2672 }
2673 LEDsoff();
2674 }
2675
2676 void EM4xProtectWord(uint32_t data, uint32_t pwd, uint8_t usepwd) {
2677
2678 StartTicks();
2679 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2680 WaitMS(50);
2681
2682 LED_A_ON();
2683
2684 // clear buffer now so it does not interfere with timing later
2685 BigBuf_Clear_ext(false);
2686
2687 /* should we read answer from Logincommand?
2688 *
2689 * should receive
2690 * 0000 1010 ok.
2691 * 0000 0001 fail
2692 **/
2693 if (usepwd) EM4xLoginEx(pwd);
2694
2695 forward_ptr = forwardLink_data;
2696 uint8_t len = Prepare_Cmd(FWD_CMD_PROTECT);
2697 len += Prepare_Data(data & 0xFFFF, data >> 16);
2698
2699 SendForward(len, false);
2700
2701 if (tearoff_hook() == PM3_ETEAROFF) { // tearoff occurred
2702 StopTicks();
2703 reply_ng(CMD_LF_EM4X_PROTECTWORD, PM3_ETEAROFF, NULL, 0);
2704 } else {
2705 // Wait 20ms for write to complete?
2706 // No, when write is denied, err preamble comes much sooner
2707 //WaitUS(13640); // tPC+tPR
2708
2709 DoPartialAcquisition(0, false, 6000, 1000);
2710 StopTicks();
2711 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2712 reply_ng(CMD_LF_EM4X_PROTECTWORD, PM3_SUCCESS, NULL, 0);
2713 }
2714 LEDsoff();
2715 }
2716
2717 /*
2718 Reading COTAG.
2719
2720 COTAG needs the reader to send a startsequence and the card has an extreme slow datarate.
2721 because of this, we can "sample" the data signal but we interpreate it to Manchester direct.
2722
2723 This behavior looks very similar to old ancient Motorola Flexpass
2724
2725 -----------------------------------------------------------------------
2726 According to patent EP0040544B1:
2727 Operating freq
2728 reader 132 kHz
2729 tag 66 kHz
2730
2731 Divide by 384 counter
2732
2733 PULSE repetition 5.82ms
2734 LOW 2.91 ms
2735 HIGH 2.91 ms
2736
2737 Also references to a half-bit format and leading zero.
2738 -----------------------------------------------------------------------
2739
2740 READER START SEQUENCE:
2741
2742 burst 800 us gap 2.2 ms
2743 burst 3.6 ms gap 2.2 ms
2744 burst 800 us gap 2.2 ms
2745 pulse 3.6 ms
2746
2747 This triggers COTAG tag to response
2748
2749 */
2750 void Cotag(uint32_t arg0) {
2751 #ifndef OFF
2752 # define OFF(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS((x)); }
2753 #endif
2754 #ifndef ON
2755 # define ON(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
2756 #endif
2757 uint8_t rawsignal = arg0 & 0xF;
2758
2759 LED_A_ON();
2760
2761 LFSetupFPGAForADC(LF_FREQ2DIV(132), true); //132
2762
2763 //clear buffer now so it does not interfere with timing later
2764 BigBuf_free();
2765 BigBuf_Clear_ext(false);
2766
2767 // send COTAG start pulse
2768 // http://www.proxmark.org/forum/viewtopic.php?id=4455
2769 /*
2770 ON(740) OFF(2035)
2771 ON(3330) OFF(2035)
2772 ON(740) OFF(2035)
2773 ON(2000)
2774 */
2775 ON(800) OFF(2200)
2776 ON(3600) OFF(2200)
2777 ON(800) OFF(2200)
2778 ON(2000) // ON(3400)
2779
2780 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_FREQ2DIV(66)); // 66kHz
2781
2782 switch (rawsignal) {
2783 case 0: {
2784 doCotagAcquisition();
2785 reply_ng(CMD_LF_COTAG_READ, PM3_SUCCESS, NULL, 0);
2786 break;
2787 }
2788 case 1: {
2789 uint8_t *dest = BigBuf_malloc(COTAG_BITS);
2790 uint16_t bits = doCotagAcquisitionManchester(dest, COTAG_BITS);
2791 reply_ng(CMD_LF_COTAG_READ, PM3_SUCCESS, dest, bits);
2792 break;
2793 }
2794 case 2: {
2795 DoAcquisition_config(false, 0);
2796 reply_ng(CMD_LF_COTAG_READ, PM3_SUCCESS, NULL, 0);
2797 break;
2798 }
2799 default: {
2800 reply_ng(CMD_LF_COTAG_READ, PM3_SUCCESS, NULL, 0);
2801 break;
2802 }
2803 }
2804
2805
2806 // Turn the field off
2807 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2808 LEDsoff();
2809 }
2810
2811 /*
2812 * EM4305 support
2813 */
Proxmark3 - the RFID research Swiss army knife. Iceman firmware