update em4x05/em4x69 cmds

@iceman1001 s updates + some of my own.
still more to do:
-auto demod responses
-figure out config block
-figure out block 0 info / serial # in block 1
-figure out block 3 protection data
-add dump all blocks cmd

armsrc/appmain.c

@@ -1017,10 +1017,10 @@ void UsbPacketReceived(uint8_t *packet, int len)
 			WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
 			break;
 		case CMD_EM4X_READ_WORD:
-			EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
+			EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
 			break;
 		case CMD_EM4X_WRITE_WORD:
-			EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
+			EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
 			break;
 		case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
 			CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);

armsrc/apps.h

@@ -88,7 +88,7 @@ void T55xxWakeUp(uint32_t Pwd);
 void TurnReadLFOn();
 //void T55xxReadTrace(void);
 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
-void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
+void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd);
 void Cotag(uint32_t arg0);
 
 /// iso14443.h

armsrc/lfops.c

@@ -684,7 +684,7 @@ void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
 		for (i=0; i<size; i++){
 			askSimBit(BitStream[i]^invert, &n, clk, encoding);
 		}
-		if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for biphase phase)
+		if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
 			for (i=0; i<size; i++){
 				askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
 			}
@@ -1358,7 +1358,7 @@ void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t
 	//Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
 	data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT);
 	//TODO add selection of chip for Q5 or T55x7
-	// data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 7 << T5555_MAXBLOCK_SHIFT;
+	// data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 7 << T5555_MAXBLOCK_SHIFT;
 	WriteT55xx(data, 0, 8);
 	//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
 	//	T5567WriteBlock(0x603E10E2,0);
@@ -1367,7 +1367,7 @@ void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t
 // clone viking tag to T55xx
 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
 	uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
-	if (Q5) data[0] = (32 << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
+	if (Q5) data[0] = ( ((32-2)>>1) << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
 	// Program the data blocks for supplied ID and the block 0 config
 	WriteT55xx(data, 0, 3);
 	LED_D_OFF();
@@ -1571,8 +1571,6 @@ void SendForward(uint8_t fwd_bit_count) {
 	fwd_write_ptr = forwardLink_data;
 	fwd_bit_sz = fwd_bit_count;
 
-	LED_D_ON();
-
 	// Set up FPGA, 125kHz
 	LFSetupFPGAForADC(95, true);
 
@@ -1580,7 +1578,7 @@ void SendForward(uint8_t fwd_bit_count) {
 	fwd_bit_sz--; //prepare next bit modulation
 	fwd_write_ptr++;
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
-	SpinDelayUs(55*8); //55 cycles off (8us each)for 4305
+	SpinDelayUs(56*8); //55 cycles off (8us each)for 4305
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
 	SpinDelayUs(16*8); //16 cycles on (8us each)
 
@@ -1591,9 +1589,9 @@ void SendForward(uint8_t fwd_bit_count) {
 		else {
 			//These timings work for 4469/4269/4305 (with the 55*8 above)
 			FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
-			SpinDelayUs(23*8); //16-4 cycles off (8us each)
+			SpinDelayUs(20*8); //16-4 cycles off (8us each) //23
 			FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
-			SpinDelayUs(9*8); //16 cycles on (8us each)
+			SpinDelayUs(12*8); //16 cycles on (8us each) //9
 		}
 	}
 }
@@ -1615,13 +1613,11 @@ void EM4xLogin(uint32_t Password) {
 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
 
 	uint8_t fwd_bit_count;
-	uint8_t *dest = BigBuf_get_addr();
-	uint16_t bufferlength = BigBuf_max_traceLen();
-	uint32_t i = 0;
 
 	// Clear destination buffer before sending the command
 	BigBuf_Clear_ext(false);
 
+	LED_A_ON();
 	//If password mode do login
 	if (PwdMode == 1) EM4xLogin(Pwd);
 
@@ -1629,36 +1625,28 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
 	fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
 	fwd_bit_count += Prepare_Addr( Address );
 
-	// Connect the A/D to the peak-detected low-frequency path.
-	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
-	// Now set up the SSC to get the ADC samples that are now streaming at us.
-	FpgaSetupSsc();
-
 	SendForward(fwd_bit_count);
 
 	// Now do the acquisition
-	i = 0;
-	for(;;) {
-		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
-			AT91C_BASE_SSC->SSC_THR = 0x43;
-		}
-		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
-			dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-			i++;
-			if (i >= bufferlength) break;
-		}
-	}
+	DoAcquisition_config(TRUE);
+	
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
+	LED_A_OFF();
 	cmd_send(CMD_ACK,0,0,0,0,0);
-	LED_D_OFF();
 }
 
-void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
-
+void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
+	
+	bool PwdMode = (flag & 0xF);
+	uint8_t Address = (flag >> 8) & 0xFF;
 	uint8_t fwd_bit_count;
 
+	//clear buffer now so it does not interfere with timing later
+	BigBuf_Clear_ext(false);
+
+	LED_A_ON();
 	//If password mode do login
-	if (PwdMode == 1) EM4xLogin(Pwd);
+	if (PwdMode) EM4xLogin(Pwd);
 
 	forward_ptr = forwardLink_data;
 	fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
@@ -1669,8 +1657,13 @@ void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode
 
 	//Wait for write to complete
 	SpinDelay(20);
+
+	//Capture response if one exists
+	DoAcquisition_config(TRUE);
+
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
-	LED_D_OFF();
+	LED_A_OFF();
+	cmd_send(CMD_ACK,0,0,0,0,0);
 }
 /*
 Reading a COTAG.

client/cmdlfem4x.c

@@ -18,6 +18,7 @@
 #include "cmdparser.h"
 #include "cmddata.h"
 #include "cmdlf.h"
+#include "cmdmain.h"
 #include "cmdlfem4x.h"
 #include "lfdemod.h"
 
@@ -285,7 +286,7 @@ uint32_t OutputEM4x50_Block(uint8_t *BitStream, size_t size, bool verbose, bool
 	}
 	return code;
 }
-/* Read the transmitted data of an EM4x50 tag
+/* Read the transmitted data of an EM4x50 tag from the graphbuffer
  * Format:
  *
  *  XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
@@ -498,53 +499,122 @@ int CmdEM4x50Read(const char *Cmd)
 	return EM4x50Read(Cmd, true);
 }
 
-int CmdReadWord(const char *Cmd)
-{
-	int Word = -1; //default to invalid word
-	UsbCommand c;
+int usage_lf_em_read(void) {
+	PrintAndLog("Read EM4x05/EM4x69.  Tag must be on antenna. ");
+	PrintAndLog("");
+	PrintAndLog("Usage:  lf em readword [h] <address> <pwd>");
+	PrintAndLog("Options:");
+	PrintAndLog("       h         - this help");
+	PrintAndLog("       address   - memory address to read. (0-15)");
+	PrintAndLog("       pwd       - password (hex) (optional)");
+	PrintAndLog("samples:");
+	PrintAndLog("      lf em readword 1");
+	PrintAndLog("      lf em readword 1 11223344");
+	return 0;
+}
+int CmdReadWord(const char *Cmd) {
+	int addr, pwd;
+	bool usePwd = false;
+	uint8_t ctmp = param_getchar(Cmd, 0);
+	if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_read();
+
+	addr = param_get8ex(Cmd, 0, -1, 10);
+	pwd =  param_get32ex(Cmd, 1, -1, 16);
 	
-	sscanf(Cmd, "%d", &Word);
-	
-	if ( (Word > 15) | (Word < 0) ) {
-		PrintAndLog("Word must be between 0 and 15");
+	if ( (addr > 15) || (addr < 0 ) || ( addr == -1) ) {
+		PrintAndLog("Address must be between 0 and 15");
 		return 1;
 	}
+	if ( pwd == -1 )
+		PrintAndLog("Reading address %d", addr);
+	else {
+		usePwd = true;
+		PrintAndLog("Reading address %d | password %08X", addr, pwd);
+	}
 	
-	PrintAndLog("Reading word %d", Word);
-	
-	c.cmd = CMD_EM4X_READ_WORD;
-	c.d.asBytes[0] = 0x0; //Normal mode
-	c.arg[0] = 0;
-	c.arg[1] = Word;
-	c.arg[2] = 0;
-	SendCommand(&c);
-	return 0;
-}
-
-int CmdReadWordPWD(const char *Cmd)
-{
-	int Word = -1; //default to invalid word
-	int Password = 0xFFFFFFFF; //default to blank password
-	UsbCommand c;
-	
-	sscanf(Cmd, "%d %x", &Word, &Password);
-	
-	if ( (Word > 15) | (Word < 0) ) {
-		PrintAndLog("Word must be between 0 and 15");
-		return 1;
-	}
-	
-	PrintAndLog("Reading word %d with password %08X", Word, Password);
-	
-	c.cmd = CMD_EM4X_READ_WORD;
-	c.d.asBytes[0] = 0x1; //Password mode
-	c.arg[0] = 0;
-	c.arg[1] = Word;
-	c.arg[2] = Password;
+	UsbCommand c = {CMD_EM4X_READ_WORD, {addr, pwd, usePwd}};
+	clearCommandBuffer();
 	SendCommand(&c);
+	UsbCommand resp;	
+	if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)){
+		PrintAndLog("Command timed out");
+		return -1;
+	}
+	
+	uint8_t got[6000]; // 8 bit preamble + 32 bit word response (max clock (128) * 40bits = 5120 samples)
+	GetFromBigBuf(got, sizeof(got), 0);
+	if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) {
+		PrintAndLog("command execution time out");
+		return 0;
+	}
+	setGraphBuf(got, sizeof(got));
+	//todo: demodulate read data 
+	return 1;
+}
+
+int usage_lf_em_write(void) {
+	PrintAndLog("Write EM4x05/EM4x69.  Tag must be on antenna. ");
+	PrintAndLog("");
+	PrintAndLog("Usage:  lf em writeword [h] <address> <data> <pwd>");
+	PrintAndLog("Options:");
+	PrintAndLog("       h         - this help");
+	PrintAndLog("       address   - memory address to write to. (0-15)");
+	PrintAndLog("       data      - data to write (hex)");	
+	PrintAndLog("       pwd       - password (hex) (optional)");
+	PrintAndLog("samples:");
+	PrintAndLog("      lf em writeword 1");
+	PrintAndLog("      lf em writeword 1 deadc0de 11223344");
+	return 0;
+}
+int CmdWriteWord(const char *Cmd) {
+	uint8_t ctmp = param_getchar(Cmd, 0);
+	if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_write();
+	
+	bool usePwd = false;
+		
+	int addr = 16; // default to invalid address
+	int data = 0xFFFFFFFF; // default to blank data
+	int pwd = 0xFFFFFFFF; // default to blank password
+	
+	addr = param_get8ex(Cmd, 0, -1, 10);
+	data = param_get32ex(Cmd, 1, -1, 16);
+	pwd =  param_get32ex(Cmd, 2, -1, 16);
+	
+	
+	if ( (addr > 15) || (addr < 0 ) || ( addr == -1) ) {
+		PrintAndLog("Address must be between 0 and 15");
+		return 1;
+	}
+	if ( pwd == -1 )
+		PrintAndLog("Writing address %d data %08X", addr, data);	
+	else {
+		usePwd = true;
+		PrintAndLog("Writing address %d data %08X using password %08X", addr, data, pwd);		
+	}
+	
+	uint16_t flag = (addr << 8 ) | usePwd;
+	
+	UsbCommand c = {CMD_EM4X_WRITE_WORD, {flag, data, pwd}};
+	clearCommandBuffer();
+	SendCommand(&c);
+	UsbCommand resp;	
+	if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){
+		PrintAndLog("Error occurred, device did not respond during write operation.");
+		return -1;
+	}
+	//get response if there is one
+	uint8_t got[6000]; // 8 bit preamble + 32 bit word response (max clock (128) * 40bits = 5120 samples)
+	GetFromBigBuf(got, sizeof(got), 0);
+	if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) {
+		PrintAndLog("command execution time out");
+		return 0;
+	}
+	setGraphBuf(got, sizeof(got));
+	//todo: check response for 00001010 then write data for write confirmation!
 	return 0;
 }
 
+/*
 int CmdWriteWord(const char *Cmd)
 {
 	int Word = 16; //default to invalid block
@@ -593,7 +663,7 @@ int CmdWriteWordPWD(const char *Cmd)
 	SendCommand(&c);
 	return 0;
 }
-
+*/
 static command_t CommandTable[] =
 {
 	{"help", CmdHelp, 1, "This help"},
@@ -603,11 +673,11 @@ static command_t CommandTable[] =
 	{"em410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
 	{"em410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
 	{"em410xwrite", CmdEM410xWrite, 0, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
-	{"em4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"},
-	{"readword", CmdReadWord, 1, "<Word> -- Read EM4xxx word data"},
-	{"readwordPWD", CmdReadWordPWD, 1, "<Word> <Password> -- Read EM4xxx word data in password mode"},
-	{"writeword", CmdWriteWord, 1, "<Data> <Word> -- Write EM4xxx word data"},
-	{"writewordPWD", CmdWriteWordPWD, 1, "<Data> <Word> <Password> -- Write EM4xxx word data in password mode"},
+	{"em4x50read", CmdEM4x50Read, 1, "demod data from EM4x50 tag from the graph buffer"},
+	{"readword", CmdReadWord, 1, "<Word> (pwd) -- Read EM4x05/EM4x69 word data"},
+	//{"readwordPWD", CmdReadWordPWD, 1, "<Word> <Password> -- Read EM4xxx word data in password mode"},
+	{"writeword", CmdWriteWord, 1, "<Word> <data> (pwd) -- Write EM4x05/EM4x69 word data"},
+	//{"writewordPWD", CmdWriteWordPWD, 1, "<Data> <Word> <Password> -- Write EM4xxx word data in password mode"},
 	{NULL, NULL, 0, NULL}
 };