search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
maur keys
[RRG-proxmark3.git] / fpga / hi_flite.v
blobc87a002cc4bc153a9eaab5f880cb1e65e10552fd
1 /*
2 This code demodulates and modulates signal as described in ISO/IEC 18092.
3 That includes packets used for Felica, NFC Tag 3, etc. (which do overlap)
4 simple envelope following algorithm is used (modification of fail0verflow LF one)
5 is used to combat some nasty aliasing effect with testing phone (envelope looked like sine wave)
6
7 Speeds supported: only 212 kbps (fc/64) for now. Todo: 414 kbps
8 though for reader, the selection has to come from ARM. modulation waits for market sprocket -doesn't really mean anything
9
10 mod_type: bits 210:
11 bit 2 : reader drive/power on/off
12 bit 1 : speed bit, 0 : 212, 1 :424
13 bit 0 : listen or modulate
14 */
15
16 module hi_flite(
17 ck_1356meg,
18 pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4,
19 adc_d, adc_clk,
20 ssp_frame, ssp_din, ssp_dout, ssp_clk,
21 dbg,
22 mod_type
23 );
24 input ck_1356meg;
25 output pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4;
26 input [7:0] adc_d;
27 output adc_clk;
28 input ssp_dout;
29 output ssp_frame, ssp_din, ssp_clk;
30 output dbg;
31 input [3:0] mod_type;
32
33 assign dbg = 0;
34
35 wire power = mod_type[2];
36 wire speed = mod_type[1];
37 wire disabl = mod_type[0];
38
39 // Most off, oe4 for modulation;
40 // Trying reader emulation (would presumably just require switching power on, but I am not sure)
41 assign pwr_lo = 1'b0;
42 assign pwr_oe2 = 1'b0;
43
44 // 512x64/fc -wait before ts0, 32768 ticks
45 // tslot: 256*64/fc
46 assign adc_clk = ck_1356meg;
47
48 ///heuristic values for initial thresholds. seem to work OK
49 `define imin 70 // (13'd256)
50 `define imax 180 // (-13'd256)
51 `define ithrmin 91 // -13'd8
52 `define ithrmax 160 // 13'd8
53
54 `define min_bitdelay_212 8
55 //minimum values and corresponding thresholds
56 reg [8:0] curmin=`imin;
57 reg [8:0] curminthres=`ithrmin;
58 reg [8:0] curmaxthres=`ithrmax;
59 reg [8:0] curmax=`imax;
60
61 //signal state, 1-not modulated, 0 -modulated
62 reg after_hysteresis = 1'b1;
63
64 //state machine for envelope tracking
65 reg [1:0] state=1'd0;
66
67 //lower edge detected, trying to detect first bit of SYNC (b24d, 1011001001001101)
68 reg try_sync=1'b0;
69
70 //detected first sync bit, phase frozen
71 reg did_sync=0;
72
73 `define bithalf_212 32 // half-bit length for 212 kbit
74 `define bitmlen_212 63 // bit transition edge
75
76 `define bithalf_424 16 // half-bit length for 212 kbit
77 `define bitmlen_424 31 // bit transition edge
78
79 wire [7:0] bithalf = speed ? `bithalf_424 : `bithalf_212;
80 wire [7:0] bitmlen = speed ? `bitmlen_424 : `bitmlen_212;
81
82
83 //ssp clock and current values
84 reg ssp_clk;
85 reg ssp_frame;
86 reg curbit = 1'b0;
87
88 reg [7:0] fccount = 8'd0; // in-bit tick counter. Counts carrier cycles from the first lower edge detected, reset on every manchester bit detected
89
90 reg [7:0] tsinceedge = 8'd0;// ticks from last edge, desync if the valye is too large
91
92 reg zero = 1'b0; // Manchester first halfbit low second high corresponds to this value. It has been known to change. SYNC is used to set it
93
94 //ssp counter for transfer and framing
95 reg [8:0] ssp_cnt = 9'd0;
96
97 always @(posedge adc_clk)
98 ssp_cnt <= (ssp_cnt + 1);
99
100 //maybe change it so that ARM sends preamble as well.
101 //then: ready bits sent to ARM, 8 bits sent from ARM (all ones), then preamble (all zeros, presumably) - which starts modulation
102
103 always @(negedge adc_clk)
104 begin
105 //count fc/64 - transfer bits to ARM at the rate they are received
106 if( ((~speed) && (ssp_cnt[5:0] == 6'b000000)) || (speed && (ssp_cnt[4:0] == 5'b00000)))
107 begin
108 ssp_clk <= 1'b1;
109 ssp_din <= curbit;
110 end
111 if( ( (~speed) && (ssp_cnt[5:0] == 6'b100000)) ||(speed && ssp_cnt[4:0] == 5'b10000))
112 ssp_clk <= 1'b0;
113 //create frame pulses. TBH, I still don't know what they do exactly, but they are crucial for ARM->FPGA transfer. If the frame is in the beginning of the byte, transfer slows to a crawl for some reason
114 // took me a day to figure THAT out.
115 if(( (~speed) && (ssp_cnt[8:0] == 9'd31)) || (speed && ssp_cnt[7:0] == 8'd15))
116 begin
117 ssp_frame <= 1'b1;
118 end
119 if(( (~speed) && (ssp_cnt[8:0] == 9'b1011111)) || (speed &&ssp_cnt[7:0] == 8'b101111) )
120 begin
121 ssp_frame <= 1'b0;
122 end
123 end
124
125 //send current bit (detected in SNIFF mode or the one being modulated in MOD mode, 0 otherwise)
126 reg ssp_din;
127
128 //previous signal value, mostly to detect SYNC
129 reg prv = 1'b1;
130
131 // for simple error correction in mod/demod detection, use maximum of modded/demodded in given interval. Maybe 1 bit is extra? but better safe than sorry.
132 reg[7:0] mid = 8'd128;
133
134 // set TAGSIM__MODULATE on ARM if we want to write... (frame would get lost if done mid-frame...)
135 // start sending over 1s on ssp->arm when we start sending preamble
136 // reg sending = 1'b0; // are we actively modulating?
137 reg [11:0] bit_counts = 12'd0; // for timeslots. only support ts=0 for now, at 212 speed -512 fullbits from end of frame. One hopes. might remove those?
138
139
140 //we need some way to flush bit_counts triggers on mod_type changes don't compile
141 reg dlay;
142 always @(negedge adc_clk) // every data ping?
143 begin
144 //envelope follow code...
145 ////////////
146 if (fccount == bitmlen)
147 begin
148 if ((~try_sync) && (adc_d < curminthres) && disabl )
149 begin
150 fccount <= 1;
151 end
152 else
153 begin
154 fccount <= 0;
155 end
156 dlay <= ssp_dout;
157 if (bit_counts > 768) // should be over ts0 now, without ARM interference... stop counting...
158 begin
159 bit_counts <= 0;
160 end
161 else
162 if (power)
163 bit_counts <= 0;
164 else
165 bit_counts <= bit_counts + 1;
166 end
167 else
168 begin
169 if((~try_sync) && (adc_d < curminthres) && disabl)
170 begin
171 fccount <= 1;
172 end
173 else
174 begin
175 fccount <= fccount + 1;
176 end
177 end
178
179 // rising edge
180 if (adc_d > curmaxthres)
181 begin
182 case (state)
183 0: begin
184 curmax <= adc_d > `imax? adc_d : `imax;
185 state <= 2;
186 end
187 1: begin
188 curminthres <= ((curmin >> 1) + (curmin >> 2) + (curmin >> 4) + (curmax >> 3) + (curmax >> 4)); //threshold: 0.1875 max + 0.8125 min
189 curmaxthres <= ((curmax >> 1) + (curmax >> 2) + (curmax >> 4) + (curmin >> 3) + (curmin >> 4));
190 curmax <= adc_d > 155 ? adc_d : 155; // to hopefully prevent overflow from spikes going up to 255
191 state <= 2;
192 end
193 2: begin
194 if (adc_d > curmax)
195 curmax <= adc_d;
196 end
197 default:
198 begin
199 end
200 endcase
201 after_hysteresis <= 1'b1;
202 if(try_sync)
203 tsinceedge <= 0;
204 end
205 else if (adc_d<curminthres) //falling edge
206 begin
207 case (state)
208 0: begin
209 curmin <= adc_d<`imin? adc_d :`imin;
210 state <= 1;
211 end
212 1: begin
213 if (adc_d<curmin)
214 curmin <= adc_d;
215 end
216 2: begin
217 curminthres <= ( (curmin >> 1) + (curmin >> 2) + (curmin >> 4) + (curmax >> 3) + (curmax >> 4));
218 curmaxthres <= ( (curmax >> 1) + (curmax >> 2) + (curmax >> 4) + (curmin >> 3) + (curmin >> 4));
219 curmin <= adc_d < `imin ? adc_d : `imin;
220 state <= 1;
221 end
222 default:
223 begin
224 end
225 endcase
226 after_hysteresis <= 0;
227 if (~try_sync ) //begin modulation, lower edge...
228 begin
229 try_sync <= 1;
230 fccount <= 1;
231 did_sync <= 0;
232 curbit <= 0;
233 mid <= 8'd127;
234 tsinceedge <= 0;
235 prv <= 1;
236 end
237 else
238 begin
239 tsinceedge <= 0;
240 end
241 end
242 else //stable state, low or high
243 begin
244 curminthres <= ( (curmin >> 1) + (curmin >> 2) + (curmin >> 4) + (curmax >> 3) + (curmax >> 4));
245 curmaxthres <= ( (curmax >> 1) + (curmax >> 2) + (curmax >> 4) + (curmin >> 3) + (curmin >> 4));
246 state <= 0;
247
248 if (try_sync )
249 begin
250 if (tsinceedge >= (128))
251 begin
252 //we might need to start counting... assuming ARM wants to reply to the frame.
253 bit_counts <= 1;// i think? 128 is about 2 bits passed... but 1 also works
254 try_sync <= 0;
255 did_sync <= 0;//desync
256 curmin <= `imin; //reset envelope
257 curmax <= `imax;
258 curminthres <= `ithrmin;
259 curmaxthres <= `ithrmax;
260 prv <= 1;
261 tsinceedge <= 0;
262 after_hysteresis <= 1'b1;
263 curbit <= 0;
264 mid <= 8'd128;
265 end
266 else
267 tsinceedge <= (tsinceedge + 1);
268 end
269 end
270
271
272 if (try_sync && tsinceedge < 128)
273 begin
274 //detect bits in their middle ssp sampling is in sync, so it would sample all bits in order
275 if (fccount == bithalf)
276 begin
277 if ((~did_sync) && ((prv == 1 && (mid > 128))||(prv == 0 && (mid <= 128))))
278 begin
279 //sync the Zero, and set curbit roperly
280 did_sync <= 1'b1;
281 zero <= ~prv;// 1-prv
282 curbit <= 1;
283 end
284 else
285 curbit <= (mid > 128) ? (~zero) : zero;
286
287 prv <= (mid > 128) ? 1 : 0;
288
289 if (adc_d > curmaxthres)
290 mid <= 8'd129;
291 else if (adc_d < curminthres)
292 mid <= 8'd127;
293 else
294 begin
295 if (after_hysteresis)
296 begin
297 mid <= 8'd129;
298 end
299 else
300 begin
301 mid <= 8'd127;
302 end
303 end
304
305 end
306 else
307 begin
308 if (fccount==bitmlen)
309 begin
310 // fccount <= 0;
311 prv <= (mid > 128) ? 1 : 0;
312 mid <= 128;
313 end
314 else
315 begin
316 // minimum-maximum calc
317 if(adc_d > curmaxthres)
318 mid <= mid + 1;
319 else if (adc_d < curminthres)
320 mid <= mid - 1;
321 else
322 begin
323 if (after_hysteresis)
324 begin
325 mid <= mid + 1;
326 end
327 else
328 begin
329 mid <= mid - 1;
330 end
331 end
332 end
333 end
334 end
335 else
336 begin
337 end
338 // sending <= 0;
339 end
340 //put modulation here to maintain the correct clock. Seems that some readers are sensitive to that
341 reg pwr_hi;
342 reg pwr_oe1;
343 reg pwr_oe3;
344 reg pwr_oe4;
345
346 wire mod = ((fccount >= bithalf) ^ dlay) & (~disabl);
347
348 always @(ck_1356meg or ssp_dout or power or disabl or mod)
349 begin
350 if (power)
351 begin
352 pwr_hi <= ck_1356meg;
353 pwr_oe1 <= 1'b0;//mod;
354 pwr_oe3 <= 1'b0;//mod;
355 pwr_oe4 <= mod;//1'b0;
356 end
357 else
358 begin
359 pwr_hi <= 1'b0;
360 pwr_oe1 <= 1'b0;
361 pwr_oe3 <= 1'b0;
362 pwr_oe4 <= mod;
363 end
364 end
365
366
367
368
369 endmodule
Proxmark3 - the RFID research Swiss army knife. Iceman firmware