| blob | 6239f27cb036f4a24bad003386be9de4a5659de9 |
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
3 //
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // See LICENSE.txt for the text of the license.
15 //-----------------------------------------------------------------------------
16 // LEGIC RF simulation code
17 //-----------------------------------------------------------------------------
38 //-----------------------------------------------------------------------------
39 // Frame timing and pseudorandom number generator
40 //
41 // The Prng is forwarded every 100us (TAG_BIT_PERIOD), except when the reader is
42 // transmitting. In that case the prng has to be forwarded every bit transmitted:
43 // - 60us for a 0 (RWD_TIME_0)
44 // - 100us for a 1 (RWD_TIME_1)
45 //
46 // The data dependent timing makes writing comprehensible code significantly
47 // harder. The current approach forwards the prng data based if there is data on
48 // air and time based, using GET_TICKS, during computational and wait periodes.
49 //
50 // To not have the necessity to calculate/guess execution time dependent timeouts
51 // tx_frame and rx_frame use a shared timestamp to coordinate tx and rx timeslots.
52 //-----------------------------------------------------------------------------
68 /* lead to detecting false ack during write */
70 //-----------------------------------------------------------------------------
71 // I/O interface abstraction (FPGA -> ARM)
72 //-----------------------------------------------------------------------------
77 // wait for frame be become available in rx holding register
80 }
81 }
83 }
85 //-----------------------------------------------------------------------------
86 // Demodulation (Reader)
87 //-----------------------------------------------------------------------------
89 // Returns a demodulated bit
90 //
91 // The FPGA running xcorrelation samples the subcarrier at ~13.56 MHz. The mode
92 // was initially designed to receive BSPK/2-PSK. Hance, it reports an I/Q pair
93 // every 4.7us (8 bits i and 8 bits q).
94 //
95 // The subcarrier amplitude can be calculated using Pythagoras sqrt(i^2 + q^2).
96 // To reduce CPU time the amplitude is approximated by using linear functions:
97 // am = MAX(ABS(i),ABS(q)) + 1/2*MIN(ABS(i),ABSq))
98 //
99 // The bit time is 99.1us (21 I/Q pairs). The receiver skips the first 5 samples
100 // and averages the next (most stable) 8 samples. The final 8 samples are dropped
101 // also.
102 //
103 // The demodulated should be aligned to the bit period by the caller. This is
104 // done in rx_bit and rx_ack.
105 //
106 // Note: The demodulator would be drifting (18.9us * 5 != 100us), rx_frame
107 // has a delay loop that aligns rx_bit calls to the TAG tx timeslots.
108 //
109 // Note: inlining this function would fail with -Os
114 // skip first 5 I/Q pairs
117 }
119 // sample next 8 I/Q pairs
126 }
128 // calculate power
131 // compare average (power / 8) to threshold
133 }
135 //-----------------------------------------------------------------------------
136 // Modulation
137 //
138 // I've tried to modulate the Legic specific pause-puls using ssc and the default
139 // ssc clock of 105.4 kHz (bit periode of 9.4us) - previous commit. However,
140 // the timing was not precise enough. By increasing the ssc clock this could
141 // be circumvented, but the adventage over bitbang would be little.
142 //-----------------------------------------------------------------------------
145 // insert pause
150 // return to carrier on, wait for bit periode to end
154 }
156 //-----------------------------------------------------------------------------
157 // Frame Handling (Reader)
158 //
159 // The LEGIC RF protocol from card to reader does not include explicit frame
160 // start/stop information or length information. The reader must know beforehand
161 // how many bits it wants to receive.
162 // Notably: a card sending a stream of 0-bits is indistinguishable from no card
163 // present.
164 //-----------------------------------------------------------------------------
169 // wait for next tx timeslot
173 // backup ts for trace log
176 // transmit frame, MSB first
181 };
183 // add pause to mark end of the frame
189 // log
192 }
195 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_212_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ);
197 // hold sampling until card is expected to respond
201 // backup ts for trace log
209 // rx_bit runs only 95us, resync to TAG_BIT_PERIOD
212 }
214 // log
219 }
222 // change fpga into rx mode
223 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_212_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ);
225 // hold sampling until card is expected to respond
229 // backup ts for trace log
234 // sample bit
238 // rx_bit runs only 95us, resync to TAG_BIT_PERIOD
242 // check if it was an ACK
245 }
246 }
248 // log
253 }
255 //-----------------------------------------------------------------------------
256 // Legic Reader
257 //-----------------------------------------------------------------------------
283 }
285 }
288 // configure FPGA
290 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_212_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ);
294 // configure SSC with defaults
297 // re-claim GPIO_SSC_DOUT as GPIO and enable output
302 // reserve a cardmem, meaning we can use the tracelog function in bigbuff easier.
306 }
308 // start trace
312 // init crc calculator
315 // start us timer
317 }
319 // Setup reader to card connection
320 //
321 // The setup consists of a three way handshake:
322 // - Transmit initialisation vector 7 bits
323 // - Receive card type 6 bits
324 // - Transmit Acknowledge 6 bits
326 // init coordination timestamp
329 // Switch on carrier and let the card charge for 5ms.
336 // configure prng
340 // receive card type
344 // send obsfuscated acknowledgment frame
353 }
356 }
362 }
367 // read one byte
375 // split frame into data and crc
379 // check received against calculated crc
384 }
389 }
391 // Transmit write command, wait until (3.6ms) the tag sends back an unencrypted
392 // ACK ('1' bit) and forward the prng time based.
399 // send write command
406 // wait for ack
408 }
410 //-----------------------------------------------------------------------------
411 // Command Line Interface
412 //
413 // Only this functions are public / called from appmain.c
414 //-----------------------------------------------------------------------------
417 }
420 // configure ARM and FPGA
423 // establish shared secret and detect card type
428 }
430 // read UID
436 }
438 }
440 // read MCC and check against UID
446 }
448 // OK
451 OUT:
454 }
460 // configure ARM and FPGA
463 // establish shared secret and detect card type
468 }
470 // do not read beyond card memory
473 }
480 }
485 }
486 }
488 OUT:
492 }
495 // configure ARM and FPGA
498 // establish shared secret and detect card type
503 }
505 // do not read beyond card memory
508 }
515 }
520 }
521 }
523 // OK
526 OUT:
529 }
532 // configure ARM and FPGA
535 // uid is not writeable
539 }
541 // establish shared secret and detect card type
546 }
548 // do not write beyond card memory
551 }
553 // write in reverse order, only then is DCF (decremental field) writable
559 }
560 }
562 // OK
565 OUT:
568 }
572 }