RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-20 15:26:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

- fixed iso1443a ManchesterDecoder in order to fix broken Snoop/Sniff

Browse source 
- enhanced tracing: hf 14a list now shows meaningful timing information. With new option f it also shows the frame delay times (fdt)
- small fix for hf 14b list - it used to run into the trace trailer
- hf 14a sim now obeys iso14443 timing (fdt of 1172 or 1234 resp.)
Note: you need to flash FPGA as well.
More details in http://www.proxmark.org/forum/viewtopic.php?pid=9721#p9721
This commit is contained in:
micki.held@gmx.de 2014-02-19 20:35:04 +00:00
parent 3be2a5ae0b
commit 7bc95e2e43
16 changed files with 1433 additions and 1381 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
armsrc/apps.h
View file

@ -144,7 +144,7 @@ void RAMFUNC SnoopIso14443a(uint8_t param);
void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data);
void ReaderIso14443a(UsbCommand * c);
// Also used in iclass.c
int RAMFUNC LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader);
bool RAMFUNC LogTrace(const uint8_t * btBytes, uint8_t iLen, uint32_t iSamples, uint32_t dwParity, bool bReader);
uint32_t GetParity(const uint8_t * pbtCmd, int iLen);
void iso14a_set_trigger(bool enable);
void iso14a_clear_trace();

2
armsrc/epa.c
View file

@ -423,7 +423,7 @@ int EPA_Setup()
// card select information
iso14a_card_select_t card_select_info;
// power up the field
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
// select the card
return_code = iso14443a_select_card(uid, &card_select_info, NULL);

14
armsrc/fpgaloader.c
View file

@ -119,7 +119,7 @@ void FpgaSetupSsc(void)
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
// clock comes from TK pin, no clock output, outputs change on falling
// edge of TK, start on rising edge of TF
// edge of TK, sample on rising edge of TK
AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) | SSC_CLOCK_MODE_START(5);
// tx framing is the same as the rx framing
@ -140,12 +140,12 @@ bool FpgaSetupSscDma(uint8_t *buf, int len)
return false;
}
AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf;
AT91C_BASE_PDC_SSC->PDC_RCR = len;
AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf;
AT91C_BASE_PDC_SSC->PDC_RNCR = len;
AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; // Disable DMA Transfer
AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf; // transfer to this memory address
AT91C_BASE_PDC_SSC->PDC_RCR = len; // transfer this many bytes
AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf; // next transfer to same memory address
AT91C_BASE_PDC_SSC->PDC_RNCR = len; // ... with same number of bytes
AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN; // go!
return true;
}

9
armsrc/iclass.c
View file

@ -1168,9 +1168,9 @@ void SimulateIClass(uint8_t arg0, uint8_t *datain)
}
if (tracing) {
LogTrace(receivedCmd,len, 0, Uart.parityBits, TRUE);
LogTrace(receivedCmd,len, rsamples, Uart.parityBits, TRUE);
if (respdata != NULL) {
LogTrace(respdata,respsize, 0, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
LogTrace(respdata,respsize, rsamples, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
}
if(traceLen > TRACE_SIZE) {
DbpString("Trace full");
@ -1349,7 +1349,7 @@ void ReaderTransmitIClass(uint8_t* frame, int len)
LED_A_ON();
// Store reader command in buffer
if (tracing) LogTrace(frame,len,0,par,TRUE);
if (tracing) LogTrace(frame,len,rsamples,par,TRUE);
}
//-----------------------------------------------------------------------------
@ -1407,7 +1407,8 @@ int ReaderReceiveIClass(uint8_t* receivedAnswer)
{
int samples = 0;
if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
rsamples += samples;
if (tracing) LogTrace(receivedAnswer,Demod.len,rsamples,Demod.parityBits,FALSE);
if(samples == 0) return FALSE;
return Demod.len;
}

1407
armsrc/iso14443a.c
View file

File diff suppressed because it is too large Load diff

47
armsrc/iso14443a.h
View file

@ -25,21 +25,31 @@
typedef struct {
enum {
DEMOD_UNSYNCD,
DEMOD_HALF_SYNCD,
DEMOD_MOD_FIRST_HALF,
DEMOD_NOMOD_FIRST_HALF,
// DEMOD_HALF_SYNCD,
// DEMOD_MOD_FIRST_HALF,
// DEMOD_NOMOD_FIRST_HALF,
DEMOD_MANCHESTER_DATA
} state;
uint16_t twoBits;
uint16_t highCnt;
uint16_t bitCount;
uint16_t collisionPos;
uint16_t syncBit;
uint16_t parityBits;
uint32_t parityBits;
uint16_t shiftReg;
uint16_t samples;
uint16_t len;
uint32_t startTime, endTime;
uint8_t *output;
} tDemod;
typedef enum {
MOD_NOMOD = 0,
MOD_SECOND_HALF,
MOD_FIRST_HALF,
MOD_BOTH_HALVES
} Modulation_t;
typedef struct {
enum {
STATE_UNSYNCD,
@ -47,27 +57,24 @@ typedef struct {
STATE_MILLER_X,
STATE_MILLER_Y,
STATE_MILLER_Z,
STATE_ERROR_WAIT
// DROP_NONE,
// DROP_FIRST_HALF,
} state;
uint16_t shiftReg;
int bitCnt;
int byteCnt;
int byteCntMax;
int posCnt;
int syncBit;
int parityBits;
int samples;
int highCnt;
int bitBuffer;
enum {
DROP_NONE,
DROP_FIRST_HALF,
DROP_SECOND_HALF
} drop;
uint16_t bitCount;
uint16_t len;
uint16_t byteCntMax;
uint16_t posCnt;
uint16_t syncBit;
uint32_t parityBits;
uint16_t highCnt;
uint16_t twoBits;
uint32_t startTime, endTime;
uint8_t *output;
} tUart;
extern byte_t oddparity (const byte_t bt);
extern uint32_t GetParity(const uint8_t *pbtCmd, int iLen);
extern void AppendCrc14443a(uint8_t *data, int len);
@ -78,7 +85,7 @@ extern void ReaderTransmitPar(uint8_t *frame, int len, uint32_t par, uint32_t *t
extern int ReaderReceive(uint8_t *receivedAnswer);
extern int ReaderReceivePar(uint8_t *receivedAnswer, uint32_t *parptr);
extern void iso14443a_setup();
extern void iso14443a_setup(uint8_t fpga_minor_mode);
extern int iso14_apdu(uint8_t *cmd, size_t cmd_len, void *data);
extern int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *resp_data, uint32_t *cuid_ptr);
extern void iso14a_set_trigger(bool enable);

28
armsrc/mifarecmd.c
View file

@ -38,7 +38,7 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
@ -107,7 +107,7 @@ void MifareUReadBlock(uint8_t arg0,uint8_t *datain)
// clear trace
iso14a_clear_trace();
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
@ -173,7 +173,7 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
@ -260,7 +260,7 @@ void MifareUReadCard(uint8_t arg0, uint8_t *datain)
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
@ -332,7 +332,7 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
@ -405,7 +405,7 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
@ -467,7 +467,7 @@ void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
@ -554,20 +554,16 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
uint32_t auth1_time, auth2_time;
static uint16_t delta_time;
StartCountMifare();
// clear trace
iso14a_clear_trace();
iso14a_set_tracing(false);
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_C_OFF();
while((GetCountMifare() & 0xffff0000) != 0x00010000); // wait for counter to reset and "warm up"
// statistics on nonce distance
if (calibrate) { // for first call only. Otherwise reuse previous calibration
LED_B_ON();
@ -767,7 +763,7 @@ void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
@ -874,7 +870,7 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
iso14a_clear_trace();
iso14a_set_tracing(false);
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
@ -992,7 +988,7 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
@ -1130,7 +1126,7 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
iso14443a_setup();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();

81
armsrc/mifaresniff.c
View file

@ -17,104 +17,95 @@ static uint8_t sniffUID[8];
static uint8_t sniffATQA[2];
static uint8_t sniffSAK;
static uint8_t sniffBuf[16];
static int timerData = 0;
static uint32_t timerData = 0;
int MfSniffInit(void){
rsamples = 0;
bool MfSniffInit(void){
memset(sniffUID, 0x00, 8);
memset(sniffATQA, 0x00, 2);
sniffSAK = 0;
sniffUIDType = SNF_UID_4;
return 0;
return FALSE;
}
int MfSniffEnd(void){
// UsbCommand ack = {CMD_ACK, {0, 0, 0}};
bool MfSniffEnd(void){
LED_B_ON();
cmd_send(CMD_ACK,0,0,0,0,0);
// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
LED_B_OFF();
return 0;
return FALSE;
}
int RAMFUNC MfSniffLogic(const uint8_t * data, int len, uint32_t parity, int bitCnt, int reader) {
bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint32_t parity, uint16_t bitCnt, bool reader) {
if ((len == 1) && (bitCnt = 9) && (data[0] > 0x0F)) {
if (reader && (len == 1) && (bitCnt == 7)) { // reset on 7-Bit commands from reader
sniffState = SNF_INIT;
}
switch (sniffState) {
case SNF_INIT:{
if ((reader) && (len == 1) && (bitCnt == 9) && ((data[0] == 0x26) || (data[0] == 0x52))) {
if ((len == 1) && (reader) && (bitCnt == 7) ) { // REQA or WUPA from reader
sniffUIDType = SNF_UID_4;
memset(sniffUID, 0x00, 8);
memset(sniffATQA, 0x00, 2);
sniffSAK = 0;
sniffState = SNF_WUPREQ;
}
break;
}
case SNF_WUPREQ:{
if ((!reader) && (len == 2)) {
if ((!reader) && (len == 2)) { // ATQA from tag
memcpy(sniffATQA, data, 2);
sniffState = SNF_ATQA;
}
break;
}
case SNF_ATQA:{
if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20)) {
if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20)) { // Select ALL from reader
sniffState = SNF_ANTICOL1;
}
break;
}
case SNF_ANTICOL1:{
if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) {
if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // UID from tag (CL1)
memcpy(sniffUID + 3, data, 4);
sniffState = SNF_UID1;
}
break;
}
case SNF_UID1:{
if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {
if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { // Select 4 Byte UID from reader
sniffState = SNF_SAK;
}
break;
}
case SNF_SAK:{
if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) {
if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
sniffSAK = data[0];
if (sniffUID[3] == 0x88) {
if (sniffUID[3] == 0x88) { // CL2 UID part to be expected
sniffState = SNF_ANTICOL2;
} else {
} else { // select completed
sniffState = SNF_CARD_IDLE;
}
}
break;
}
case SNF_ANTICOL2:{
if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) {
if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // CL2 UID
memcpy(sniffUID, data, 4);
sniffUIDType = SNF_UID_7;
sniffState = SNF_UID2;
}
break;
}
case SNF_UID2:{
if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {
if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { // Select 2nd part of 7 Byte UID
sniffState = SNF_SAK;
Dbprintf("SNF_SAK");
}
break;
}
case SNF_CARD_IDLE:{
case SNF_CARD_IDLE:{ // trace the card select sequence
sniffBuf[0] = 0xFF;
sniffBuf[1] = 0xFF;
memcpy(sniffBuf + 2, sniffUID, 7);
@ -123,18 +114,15 @@ int RAMFUNC MfSniffLogic(const uint8_t * data, int len, uint32_t parity, int bit
sniffBuf[12] = 0xFF;
sniffBuf[13] = 0xFF;
LogTrace(sniffBuf, 14, 0, parity, true);
timerData = GetTickCount();
}
} // intentionally no break;
case SNF_CARD_CMD:{
LogTrace(data, len, 0, parity, true);
sniffState = SNF_CARD_RESP;
timerData = GetTickCount();
break;
}
case SNF_CARD_RESP:{
LogTrace(data, len, 0, parity, false);
sniffState = SNF_CARD_CMD;
timerData = GetTickCount();
break;
@ -145,51 +133,40 @@ int RAMFUNC MfSniffLogic(const uint8_t * data, int len, uint32_t parity, int bit
break;
}
return 0;
return FALSE;
}
int RAMFUNC MfSniffSend(int maxTimeoutMs) {
if (traceLen && (timerData + maxTimeoutMs < GetTickCount())) {
bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs) {
if (traceLen && (GetTickCount() > timerData + maxTimeoutMs)) {
return intMfSniffSend();
}
return 0;
return FALSE;
}
// internal seding function. not a RAMFUNC.
int intMfSniffSend() {
// internal sending function. not a RAMFUNC.
bool intMfSniffSend() {
int pckSize = 0;
int pckLen = traceLen;
int pckNum = 0;
if (!traceLen) return 0;
FpgaDisableSscDma();
while (pckLen > 0) {
pckSize = MIN(32, pckLen);
// UsbCommand ack = {CMD_ACK, {1, pckSize, pckNum}};
// memcpy(ack.d.asBytes, trace + traceLen - pckLen, pckSize);
pckSize = MIN(USB_CMD_DATA_SIZE, pckLen);
LED_B_ON();
cmd_send(CMD_ACK, 1, pckSize, pckNum, trace + traceLen - pckLen, pckSize);
// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
// SpinDelay(20);
LED_B_OFF();
pckLen -= pckSize;
pckNum++;
}
// UsbCommand ack = {CMD_ACK, {2, 0, 0}};
LED_B_ON();
cmd_send(CMD_ACK,2,0,0,0,0);
// UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
LED_B_OFF();
traceLen = 0;
memset(trace, 0x44, TRACE_SIZE);
iso14a_clear_trace();
return 1;
return TRUE;
}

10
armsrc/mifaresniff.h
View file

@ -38,10 +38,10 @@
#define SNF_UID_4 0
#define SNF_UID_7 0
int MfSniffInit(void);
int RAMFUNC MfSniffLogic(const uint8_t * data, int len, uint32_t parity, int bitCnt, int reader);
int RAMFUNC MfSniffSend(int maxTimeoutMs);
int intMfSniffSend();
int MfSniffEnd(void);
bool MfSniffInit(void);
bool RAMFUNC MfSniffLogic(const uint8_t * data, uint16_t len, uint32_t parity, uint16_t bitCnt, bool reader);
bool RAMFUNC MfSniffSend(uint16_t maxTimeoutMs);
bool intMfSniffSend();
bool MfSniffEnd(void);
#endif

35
armsrc/util.c
View file

@ -316,9 +316,9 @@ uint32_t RAMFUNC GetDeltaCountUS(){
// -------------------------------------------------------------------------
// Mifare timer. Uses ssp_clk from FPGA
// Timer for iso14443 commands. Uses ssp_clk from FPGA
// -------------------------------------------------------------------------
void StartCountMifare()
void StartCountSspClk()
{
AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1) | (1 << AT91C_ID_TC2); // Enable Clock to all timers
AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_TIOA1 // XC0 Clock = TIOA1
@ -330,7 +330,7 @@ void StartCountMifare()
AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK // TC1 Clock = MCK(48MHz)/2 = 24MHz
| AT91C_TC_CPCSTOP // Stop clock on RC compare
| AT91C_TC_EEVTEDG_RISING // Trigger on rising edge of Event
| AT91C_TC_EEVT_TIOB // Event-Source: TIOB1 (= ssc_clk from FPGA = 13,56MHz / 16)
| AT91C_TC_EEVT_TIOB // Event-Source: TIOB1 (= ssp_clk from FPGA = 13,56MHz/16)
| AT91C_TC_ENETRG // Enable external trigger event
| AT91C_TC_WAVESEL_UP // Upmode without automatic trigger on RC compare
| AT91C_TC_WAVE // Waveform Mode
@ -354,29 +354,40 @@ void StartCountMifare()
| AT91C_TC_WAVE // Waveform Mode
| AT91C_TC_WAVESEL_UP; // just count
AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN; // enable TC0
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN; // enable TC1
AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKEN; // enable TC2
// activate the ISO14443 part of the FPGA. We need the clock and frame signals.
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
// synchronize the counter with the ssp_frame signal.
//
// synchronize the counter with the ssp_frame signal. Note: FPGA must be in any iso14446 mode, otherwise the frame signal would not be present
//
while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME)); // wait for ssp_frame to go high (start of frame)
while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME); // wait for ssp_frame to be low
while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME)); // sync on rising edge of ssp_frame (= start of transfer)
// after the falling edge of ssp_frame, there is delay of 1/13,56MHz (73ns) until the next rising edge of ssp_clk. This are only a few
// processor cycles. We therefore may or may not be able to sync on this edge. Therefore better make sure that we miss it:
while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high
// note: up to now two ssp_clk rising edges have passed since the rising edge of ssp_frame
// it is now safe to assert a sync signal. This sets all timers to 0 on next active clock edge
AT91C_BASE_TCB->TCB_BCR = 1; // assert Sync (set all timers to 0 on next active clock edge)
// at the next (3rd) ssp_clk rising edge, TC1 will be reset (and not generate a clock signal to TC0)
// at the next (4th) ssp_clk rising edge, TC0 (the low word of our counter) will be reset. From now on,
// whenever the last three bits of our counter go 0, we can be sure to be in the middle of a frame transfer.
// (just started with the transfer of the 4th Bit).
// The high word of the counter (TC2) will not reset until the low word (TC0) overflows. Therefore need to wait quite some time before
// we can use the counter.
while (AT91C_BASE_TC0->TC_CV < 0xFFF0);
}
uint32_t RAMFUNC GetCountMifare(){
uint32_t RAMFUNC GetCountSspClk(){
uint32_t tmp_count;
tmp_count = (AT91C_BASE_TC2->TC_CV << 16) | AT91C_BASE_TC0->TC_CV;
if ((tmp_count & 0xffff) == 0) { //small chance that we may have missed an increment in TC2
if ((tmp_count & 0x0000ffff) == 0) { //small chance that we may have missed an increment in TC2
return (AT91C_BASE_TC2->TC_CV << 16);
}
else {
return tmp_count;
}
}

4
armsrc/util.h
View file

@ -47,7 +47,7 @@ void StartCountUS();
uint32_t RAMFUNC GetCountUS();
uint32_t RAMFUNC GetDeltaCountUS();
void StartCountMifare();
uint32_t RAMFUNC GetCountMifare();
void StartCountSspClk();
uint32_t RAMFUNC GetCountSspClk();
#endif

84
client/cmdhf14a.c
View file

@ -16,7 +16,6 @@
#include "util.h"
#include "iso14443crc.h"
#include "data.h"
//#include "proxusb.h"
#include "proxmark3.h"
#include "ui.h"
#include "cmdparser.h"
@ -30,16 +29,37 @@ static void waitCmd(uint8_t iLen);
int CmdHF14AList(const char *Cmd)
{
bool ShowWaitCycles = false;
char param = param_getchar(Cmd, 0);
if (param == 'h' || (param != 0 && param != 'f')) {
PrintAndLog("List data in trace buffer.");
PrintAndLog("Usage: hf 14a list [f]");
PrintAndLog("f - show frame delay times as well");
PrintAndLog("sample: hf 14a list f");
return 0;
}
if (param == 'f') {
ShowWaitCycles = true;
}
uint8_t got[1920];
GetFromBigBuf(got,sizeof(got),0);
WaitForResponse(CMD_ACK,NULL);
PrintAndLog("recorded activity:");
PrintAndLog(" ETU :rssi: who bytes");
PrintAndLog("---------+----+----+-----------");
PrintAndLog("Recorded Activity");
PrintAndLog("");
PrintAndLog("Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer");
PrintAndLog("All times are in carrier periods (1/13.56Mhz)");
PrintAndLog("");
PrintAndLog(" Start | End | Src | Data");
PrintAndLog("-----------|-----------|-----|--------");
int i = 0;
int prev = -1;
uint32_t first_timestamp = 0;
uint32_t timestamp;
uint32_t EndOfTransmissionTimestamp = 0;
for (;;) {
if(i >= 1900) {
@ -47,23 +67,19 @@ int CmdHF14AList(const char *Cmd)
}
bool isResponse;
int timestamp = *((uint32_t *)(got+i));
timestamp = *((uint32_t *)(got+i));
if (timestamp & 0x80000000) {
timestamp &= 0x7fffffff;
isResponse = 1;
isResponse = true;
} else {
isResponse = 0;
isResponse = false;
}
int metric = 0;
int parityBits = *((uint32_t *)(got+i+4));
// 4 bytes of additional information...
// maximum of 32 additional parity bit information
//
// TODO:
// at each quarter bit period we can send power level (16 levels)
// or each half bit period in 256 levels.
if(i==0) {
first_timestamp = timestamp;
}
int parityBits = *((uint32_t *)(got+i+4));
int len = got[i+8];
@ -77,10 +93,11 @@ int CmdHF14AList(const char *Cmd)
uint8_t *frame = (got+i+9);
// Break and stick with current result if buffer was not completely full
if (frame[0] == 0x44 && frame[1] == 0x44 && frame[3] == 0x44) { break; }
if (frame[0] == 0x44 && frame[1] == 0x44 && frame[2] == 0x44 && frame[3] == 0x44) break;
char line[1000] = "";
int j;
if (len) {
for (j = 0; j < len; j++) {
int oddparity = 0x01;
int k;
@ -92,11 +109,16 @@ int CmdHF14AList(const char *Cmd)
//if((parityBits >> (len - j - 1)) & 0x01) {
if (isResponse && (oddparity != ((parityBits >> (len - j - 1)) & 0x01))) {
sprintf(line+(j*4), "%02x! ", frame[j]);
}
else {
} else {
sprintf(line+(j*4), "%02x ", frame[j]);
}
}
} else {
if (ShowWaitCycles) {
uint32_t next_timestamp = (*((uint32_t *)(got+i+9))) & 0x7fffffff;
sprintf(line, "fdt (Frame Delay Time): %d", (next_timestamp - timestamp));
}
}
char *crc;
crc = "";
@ -138,20 +160,18 @@ int CmdHF14AList(const char *Cmd)
crc = ""; // SHORT
}
char metricString[100];
if (isResponse) {
sprintf(metricString, "%3d", metric);
} else {
strcpy(metricString, " ");
}
PrintAndLog(" +%7d: %s: %s %s %s",
(prev < 0 ? 0 : (timestamp - prev)),
metricString,
(isResponse ? "TAG " : " "), line, crc);
prev = timestamp;
i += (len + 9);
EndOfTransmissionTimestamp = (*((uint32_t *)(got+i))) & 0x7fffffff;
if (!ShowWaitCycles) i += 9;
PrintAndLog(" %9d | %9d | %s | %s %s",
(timestamp - first_timestamp),
(EndOfTransmissionTimestamp - first_timestamp),
(len?(isResponse ? "Tag" : "Rdr"):" "),
line, crc);
}
return 0;
}

3
client/cmdhf14b.c
View file

@ -182,6 +182,9 @@ int CmdHF14BList(const char *Cmd)
uint8_t *frame = (got+i+9);
// Break and stick with current result if buffer was not completely full
if (frame[0] == 0x44 && frame[1] == 0x44 && frame[2] == 0x44 && frame[3] == 0x44) break;
char line[1000] = "";
int j;
for(j = 0; j < len; j++) {

4
client/cmdhfmf.c
View file

@ -1196,7 +1196,7 @@ int CmdHF14AMf1kSim(const char *Cmd)
memcpy(c.d.asBytes, uid, sizeof(uid));
SendCommand(&c);
if(flags & 1)
if(flags & FLAG_INTERACTIVE)
{
UsbCommand resp;
PrintAndLog("Press pm3-button to abort simulation");
@ -1923,7 +1923,7 @@ static command_t CommandTable[] =
{"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},
{"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},
{"chk", CmdHF14AMfChk, 0, "Test block keys"},
{"mifare", CmdHF14AMifare, 0, "Read parity error messages. param - <used card nonce>"},
{"mifare", CmdHF14AMifare, 0, "Read parity error messages."},
{"nested", CmdHF14AMfNested, 0, "Test nested authentication"},
{"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},
{"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"},

BIN
fpga/fpga.bit
View file

Binary file not shown.

290
fpga/hi_iso14443a.v
View file

@ -3,6 +3,13 @@
// Gerhard de Koning Gans, April 2008
//-----------------------------------------------------------------------------
// constants for the different modes:
`define SNIFFER 3'b000
`define TAGSIM_LISTEN 3'b001
`define TAGSIM_MOD 3'b010
`define READER_LISTEN 3'b011
`define READER_MOD 3'b100
module hi_iso14443a(
pck0, ck_1356meg, ck_1356megb,
pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4,
@ -25,26 +32,23 @@ module hi_iso14443a(
reg ssp_clk;
reg ssp_frame;
reg fc_div_2;
always @(posedge ck_1356meg)
fc_div_2 = ~fc_div_2;
wire adc_clk;
assign adc_clk = ck_1356meg;
reg after_hysteresis, after_hysteresis_prev1, after_hysteresis_prev2, after_hysteresis_prev3;
reg after_hysteresis, after_hysteresis_prev1, after_hysteresis_prev2, after_hysteresis_prev3, after_hysteresis_prev4;
reg [11:0] has_been_low_for;
reg [8:0] saw_deep_modulation;
reg [2:0] deep_counter;
reg deep_modulation;
always @(negedge adc_clk)
begin
if(& adc_d[7:6]) after_hysteresis <= 1'b1; // if adc_d >= 196
else if(~(| adc_d[7:4])) after_hysteresis <= 1'b0; // if adc_d <= 15
if(& adc_d[7:6]) after_hysteresis <= 1'b1; // adc_d >= 196 (U >= 3,28V) -> after_hysteris = 1
else if(~(| adc_d[7:4])) after_hysteresis <= 1'b0; // if adc_d <= 15 (U <= 1,13V) -> after_hysteresis = 0
if(~(| adc_d[7:0]))
if(~(| adc_d[7:0])) // if adc_d == 0 (U <= 0,94V)
begin
if(deep_counter == 3'd7)
if(deep_counter == 3'd7) // adc_d == 0 for 7 adc_clk ticks -> deep_modulation (by reader)
begin
deep_modulation <= 1'b1;
saw_deep_modulation <= 8'd0;
@ -55,7 +59,7 @@ begin
else
begin
deep_counter <= 3'd0;
if(saw_deep_modulation == 8'd255)
if(saw_deep_modulation == 8'd255) // adc_d != 0 for 255 adc_clk ticks -> deep_modulation is over, now waiting for tag's response
deep_modulation <= 1'b0;
else
saw_deep_modulation <= saw_deep_modulation + 1;
@ -63,37 +67,31 @@ begin
if(after_hysteresis)
begin
has_been_low_for <= 7'b0;
has_been_low_for <= 12'd0;
end
else
begin
if(has_been_low_for == 12'd4095)
begin
has_been_low_for <= 12'd0;
after_hysteresis <= 1'b1;
after_hysteresis <= 1'b1; // reset after_hysteresis to 1 if it had been 0 for 4096 cycles (no field)
end
else
begin
has_been_low_for <= has_been_low_for + 1;
end
end
end
// Report every 4 subcarrier cycles
// 64 periods of carrier frequency => 6-bit counter [negedge_cnt]
reg [5:0] negedge_cnt;
reg bit1, bit2, bit3;
reg [3:0] count_ones;
reg [3:0] count_zeros;
// wire [7:0] avg;
// reg [7:0] lavg;
// reg signed [12:0] step1;
// reg signed [12:0] step2;
// reg [7:0] stepsize;
reg [7:0] rx_mod_edge_threshold;
// 128 periods of carrier frequency => 7-bit counter [negedge_cnt]
reg [6:0] negedge_cnt;
reg bit1, bit2, bit3, bit4;
reg curbit;
// reg [12:0] average;
// wire signed [9:0] dif;
// storage for two previous samples:
// storage for four previous samples:
reg [7:0] adc_d_1;
reg [7:0] adc_d_2;
reg [7:0] adc_d_3;
@ -108,65 +106,89 @@ assign adc_d_filtered = (adc_d_4 << 1) + adc_d_3 - adc_d_1 - (adc_d << 1);
reg [7:0] rx_mod_falling_edge_max;
reg [7:0] rx_mod_rising_edge_max;
// A register to send the results to the arm
reg signed [7:0] to_arm;
// A register to send 8 Bit results to the arm
reg [7:0] to_arm;
reg bit_to_arm;
reg fdt_indicator, fdt_elapsed;
reg [10:0] fdt_counter;
reg [47:0] mod_sig_buf;
wire mod_sig_buf_empty;
reg [5:0] mod_sig_ptr;
//reg [47:0] mod_sig_buf;
reg [31:0] mod_sig_buf;
//reg [5:0] mod_sig_ptr;
reg [4:0] mod_sig_ptr;
reg [3:0] mod_sig_flip;
reg mod_sig, mod_sig_coil;
reg temp_buffer_reset;
reg sendbit;
assign mod_sig_buf_empty = ~(|mod_sig_buf[47:0]);
reg [2:0] ssp_frame_counter;
reg [3:0] sub_carrier_cnt;
// ADC data appears on the rising edge, so sample it on the falling edge
always @(negedge adc_clk)
begin
// ------------------------------------------------------------------------------------------------------------------------------------------------------------------
// relevant for TAGSIM_MOD only. Timing of Tag's answer to a command received from a reader
// relevant for TAGSIM_MOD only. Timing of Tag's answer relative to a command received from a reader
// ISO14443-3 specifies:
// fdt = 1172, if last bit was 0.
// fdt = 1236, if last bit was 1.
// the FPGA takes care for the 1172 delay. To achieve the additional 1236-1172=64 ticks delay, the ARM must send an additional correction bit (before the start bit).
// The correction bit will be coded as 00010000, i.e. it adds 4 bits to the transmission stream, causing the required delay.
if(fdt_counter == 11'd740) fdt_indicator = 1'b1; // fdt_indicator is true for 740 <= fdt_counter <= 1148. Ready to buffer data. (?)
// Shouldn' this be 1236 - 720 = 516? (The mod_sig_buf can buffer 46 data bits,
// i.e. a maximum delay of 46 * 16 = 720 adc_clk ticks)
if(fdt_counter == 11'd547) fdt_indicator <= 1'b1; // The ARM must not send earlier to prevent mod_sig_buf overflow.
// The mod_sig_buf can buffer 29 excess data bits, i.e. a maximum delay of 29 * 16 = 464 adc_clk ticks. fdt_indicator
// could appear at ssp_din after 1 tick, 16 ticks for the transfer, 128 ticks until response is sended.
// 1148 - 464 - 1 - 128 - 8 = 547
if(fdt_counter == 11'd1148) // additional 16 (+ eventual n*128) adc_clk_ticks delay will be added by the mod_sig_buf below
// the remaining 8 ticks delay comes from the 8 ticks timing difference between reseting fdt_counter and the mod_sig_buf clock.
if ((mod_type == `TAGSIM_MOD) || (mod_type == `TAGSIM_LISTEN))
begin
if(fdt_counter == 11'd1148) // the RF part delays the rising edge by approx 5 adc_clk_ticks, the ADC needs 3 clk_ticks for A/D conversion,
// 16 ticks delay by mod_sig_buf
// 1172 - 5 - 3 - 16 = 1148.
begin
if(fdt_elapsed)
begin
if(negedge_cnt[3:0] == mod_sig_flip[3:0]) mod_sig_coil <= mod_sig; // start modulating (if mod_sig is already set)
if(negedge_cnt[3:0] == mod_sig_flip) mod_sig_coil <= mod_sig; // start modulating (if mod_sig is already set)
sub_carrier_cnt[3:0] <= sub_carrier_cnt[3:0] + 1;
end
else
begin
mod_sig_flip[3:0] <= negedge_cnt[3:0]; // exact timing of modulation
mod_sig_coil <= mod_sig; // modulate (if mod_sig is already set)
mod_sig_flip <= negedge_cnt[3:0]; // start modulation at this time
sub_carrier_cnt[3:0] <= 0; // subcarrier phase in sync with start of modulation
mod_sig_coil <= mod_sig; // assign signal to coil
fdt_elapsed = 1'b1;
fdt_indicator = 1'b0;
if(~(| mod_sig_ptr[5:0])) mod_sig_ptr <= 6'b001001; // didn't receive a 1 yet. Delay next 1 by n*128 ticks.
if(~(| mod_sig_ptr[4:0])) mod_sig_ptr <= 5'd9; // if mod_sig_ptr == 0 -> didn't receive a 1 yet. Delay next 1 by n*128 ticks.
else temp_buffer_reset = 1'b1; // else fix the buffer size at current position
end
end
else
begin
fdt_counter <= fdt_counter + 1; // Count until 1148
fdt_counter <= fdt_counter + 1; // Count until 1155
end
end
else // other modes: don't use the delay line.
begin
mod_sig_coil <= ssp_dout;
end
//-------------------------------------------------------------------------------------------------------------------------------------------
// Relevant for READER_LISTEN only
// look for steepest falling and rising edges:
if(negedge_cnt[3:0] == 4'd1) // reset modulation detector. Save current edge.
begin
if (adc_d_filtered > 0)
begin
rx_mod_falling_edge_max <= adc_d_filtered;
rx_mod_rising_edge_max <= 0;
end
else
begin
rx_mod_falling_edge_max <= 0;
rx_mod_rising_edge_max <= -adc_d_filtered;
end
end
else // detect modulation
begin
if (adc_d_filtered > 0)
begin
if (adc_d_filtered > rx_mod_falling_edge_max)
@ -177,6 +199,14 @@ begin
if (-adc_d_filtered > rx_mod_rising_edge_max)
rx_mod_rising_edge_max <= -adc_d_filtered;
end
end
// detect modulation signal: if modulating, there must be a falling and a rising edge
if (rx_mod_falling_edge_max > 6 && rx_mod_rising_edge_max > 6)
curbit <= 1'b1; // modulation
else
curbit <= 1'b0; // no modulation
// store previous samples for filtering and edge detection:
adc_d_4 <= adc_d_3;
@ -185,97 +215,113 @@ begin
adc_d_1 <= adc_d;
if(& negedge_cnt[3:0]) // == 0xf == 15
begin
// Relevant for TAGSIM_MOD only (timing Tag's answer. See above)
// When there is a dip in the signal and not in (READER_MOD, READER_LISTEN, TAGSIM_MOD)
if(~after_hysteresis && mod_sig_buf_empty && ~((mod_type == 3'b100) || (mod_type == 3'b011) || (mod_type == 3'b010))) // last condition to prevent reset
// Relevant for TAGSIM_MOD only (timing the Tag's answer. See above)
// When we see end of a modulation and we are emulating a Tag, start fdt_counter.
// Reset fdt_counter when modulation is detected.
if(~after_hysteresis /* && mod_sig_buf_empty */ && mod_type == `TAGSIM_LISTEN)
begin
fdt_counter <= 11'd0;
fdt_elapsed = 1'b0;
fdt_indicator = 1'b0;
fdt_indicator <= 1'b0;
temp_buffer_reset = 1'b0;
mod_sig_ptr <= 6'b000000;
mod_sig_ptr <= 5'b00000;
mod_sig = 1'b0;
end
// Relevant for READER_LISTEN only
// detect modulation signal: if modulating, there must be a falling and a rising edge ... and vice versa
if (rx_mod_falling_edge_max > 6 && rx_mod_rising_edge_max > 6)
curbit = 1'b1; // modulation
else
curbit = 1'b0; // no modulation
// prepare next edge detection:
rx_mod_rising_edge_max <= 0;
rx_mod_falling_edge_max <= 0;
// What do we communicate to the ARM
if(mod_type == 3'b001) sendbit = after_hysteresis; // TAGSIM_LISTEN
else if(mod_type == 3'b010) // TAGSIM_MOD
if(negedge_cnt[3:0] == 4'd1)
begin
if(fdt_counter > 11'd772) sendbit = mod_sig_coil;
else sendbit = fdt_indicator;
end
else if(mod_type == 3'b011) sendbit = curbit; // READER_LISTEN
else sendbit = 1'b0; // READER_MOD, SNIFFER
// What do we communicate to the ARM
if(mod_type == `TAGSIM_LISTEN)
sendbit = after_hysteresis;
else if(mod_type == `TAGSIM_MOD)
/* if(fdt_counter > 11'd772) sendbit = mod_sig_coil; // huh?
else */
sendbit = fdt_indicator;
else if (mod_type == `READER_LISTEN)
sendbit = curbit;
else
sendbit = 1'b0;
end
//------------------------------------------------------------------------------------------------------------------------------------------
// Relevant for SNIFFER mode only. Prepare communication to ARM.
// Prepare 8 Bits to communicate to ARM
// in SNIFFER mode: 4 Bits data sniffed as Tag, 4 Bits data sniffed as Reader
if(mod_type == `SNIFFER)
begin
if (negedge_cnt == 7'd63)
begin
if(deep_modulation)
if(deep_modulation) // a reader is sending (or there's no field at all)
begin
to_arm <= {after_hysteresis_prev1,after_hysteresis_prev2,after_hysteresis_prev3,after_hysteresis,1'b0,1'b0,1'b0,1'b0};
to_arm <= {after_hysteresis_prev1,after_hysteresis_prev2,after_hysteresis_prev3,after_hysteresis_prev4,1'b0,1'b0,1'b0,1'b0};
end
else
begin
to_arm <= {after_hysteresis_prev1,after_hysteresis_prev2,after_hysteresis_prev3,after_hysteresis,bit1,bit2,bit3,curbit};
to_arm <= {after_hysteresis_prev1,after_hysteresis_prev2,after_hysteresis_prev3,after_hysteresis_prev4,bit1,bit2,bit3,bit4};
end
negedge_cnt <= 0;
end
else
begin
negedge_cnt <= negedge_cnt + 1;
end
end
else
// other modes: 8 Bits info on queue delay
begin
if(negedge_cnt == 7'd127)
begin
if (mod_type == `TAGSIM_MOD)
begin
to_arm[7:0] <= {mod_sig_ptr[4:0], mod_sig_flip[3:1]};
end
else
begin
to_arm[7:0] <= 8'd0;
end
negedge_cnt <= 0;
end
else
begin
negedge_cnt <= negedge_cnt + 1;
end
end
if(negedge_cnt == 6'd15)
if(negedge_cnt == 7'd1)
begin
after_hysteresis_prev1 <= after_hysteresis;
bit1 <= curbit;
end
if(negedge_cnt == 6'd31)
if(negedge_cnt == 7'd17)
begin
after_hysteresis_prev2 <= after_hysteresis;
bit2 <= curbit;
end
if(negedge_cnt == 6'd47)
if(negedge_cnt == 7'd33)
begin
after_hysteresis_prev3 <= after_hysteresis;
bit3 <= curbit;
end
if(negedge_cnt == 7'd47)
begin
after_hysteresis_prev4 <= after_hysteresis;
bit4 <= curbit;
end
//--------------------------------------------------------------------------------------------------------------------------------------------------------------
// Relevant in TAGSIM_MOD only. Delay-Line to buffer data and send it at the correct time
// Note: Data in READER_MOD is fed through this delay line as well.
if(mod_type != 3'b000) // != SNIFFER
if(negedge_cnt[3:0] == 4'd0) // at rising edge of ssp_clk - ssp_dout changes at the falling edge.
begin
if(negedge_cnt[3:0] == 4'b1000) // == 0x8
begin
// The modulation signal of the tag. The delay line is only relevant for TAGSIM_MOD, but used in other modes as well.
// Note: this means that even in READER_MOD, there will be an arbitrary delay depending on the time of a previous reset of fdt_counter and the time and
// content of the next bit to be transmitted.
mod_sig_buf[47:0] <= {mod_sig_buf[46:1], ssp_dout, 1'b0}; // shift in new data starting at mod_sig_buf[1]. mod_sig_buf[0] = 0 always.
if((ssp_dout || (| mod_sig_ptr[5:0])) && ~fdt_elapsed) // buffer a 1 (and all subsequent data) until fdt_counter = 1148 adc_clk ticks.
if(mod_sig_ptr == 6'b101110) // buffer overflow at 46 - this would mean data loss
begin
mod_sig_ptr <= 6'b000000;
end
mod_sig_buf[31:0] <= {mod_sig_buf[30:1], ssp_dout, 1'b0}; // shift in new data starting at mod_sig_buf[1]. mod_sig_buf[0] = 0 always.
// asign the delayed signal to mod_sig, but don't modulate with the correction bit (which is sent as 00010000, all other bits will come with at least 2 consecutive 1s)
// side effect: when ptr = 1 it will cancel the first 1 of every block of ones. Note: this would only be the case if we received a 1 just before fdt_elapsed.
if((ssp_dout || (| mod_sig_ptr[4:0])) && ~fdt_elapsed) // buffer a 1 (and all subsequent data) until fdt_counter = 1148 adc_clk ticks.
//if(mod_sig_ptr == 6'b101110) // buffer overflow at 46 - this would mean data loss
//begin
// mod_sig_ptr <= 6'b000000;
//end
if (mod_sig_ptr == 5'd30) mod_sig_ptr <= 5'd0;
else mod_sig_ptr <= mod_sig_ptr + 1; // increase buffer (= increase delay by 16 adc_clk ticks). ptr always points to first 1.
else if(fdt_elapsed && ~temp_buffer_reset)
// fdt_elapsed. If we didn't receive a 1 yet, ptr will be at 9 and not yet fixed. Otherwise temp_buffer_reset will be 1 already.
@ -283,26 +329,21 @@ begin
// wait for the next 1 after fdt_elapsed before fixing the delay and starting modulation. This ensures that the response can only happen
// at intervals of 8 * 16 = 128 adc_clk ticks intervals (as defined in ISO14443-3)
if(ssp_dout) temp_buffer_reset = 1'b1;
if(mod_sig_ptr == 6'b000010) mod_sig_ptr <= 6'b001001; // still nothing received, need to go for the next interval
if(mod_sig_ptr == 5'd2) mod_sig_ptr <= 5'd9; // still nothing received, need to go for the next interval
else mod_sig_ptr <= mod_sig_ptr - 1; // decrease buffer.
end
else
// mod_sig_ptr and therefore the delay is now fixed until fdt_counter is reset (this can happen in SNIFFER and TAGSIM_LISTEN mode only. Note that SNIFFER
// mode (3'b000) is the default and is active in FPGA_MAJOR_MODE_OFF if no other minor mode is explicitly requested.
begin
// don't modulate with the correction bit (which is sent as 00010000, all other bits will come with at least 2 consecutive 1s)
// side effect: when ptr = 1 it will cancel the first 1 of every block of ones. Note: this would only be the case if we received a 1 just before fdt_elapsed.
if(~mod_sig_buf[mod_sig_ptr-1] && ~mod_sig_buf[mod_sig_ptr+1]) mod_sig = 1'b0;
// finally, do the modulation:
else mod_sig = mod_sig_buf[mod_sig_ptr] & fdt_elapsed;
end
// finally, assign the delayed signal:
else mod_sig = mod_sig_buf[mod_sig_ptr];
end
end
//-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
// Communication to ARM (SSP Clock and data)
// SNIFFER mode (ssp_clk = adc_clk / 8, ssp_frame clock = adc_clk / 64)):
if(mod_type == 3'b000)
if(mod_type == `SNIFFER)
begin
if(negedge_cnt[2:0] == 3'b100)
ssp_clk <= 1'b0;
@ -311,7 +352,7 @@ begin
begin
ssp_clk <= 1'b1;
// Don't shift if we just loaded new data, obviously.
if(negedge_cnt != 7'd0)
if(negedge_cnt[5:0] != 6'd0)
begin
to_arm[7:1] <= to_arm[6:0];
end
@ -333,41 +374,52 @@ begin
if(negedge_cnt[3:0] == 4'b0111)
begin
if(ssp_frame_counter == 3'd7) ssp_frame_counter <= 3'd0;
else ssp_frame_counter <= ssp_frame_counter + 1;
// if(ssp_frame_counter == 3'd7) ssp_frame_counter <= 3'd0;
// else ssp_frame_counter <= ssp_frame_counter + 1;
if (negedge_cnt[6:4] == 3'b000) ssp_frame = 1'b1;
else ssp_frame = 1'b0;
end
// ssp_frame = (ssp_frame_counter == 3'd7);
if(negedge_cnt[3:0] == 4'b0000)
begin
ssp_clk <= 1'b1;
// Don't shift if we just loaded new data, obviously.
if(negedge_cnt[6:0] != 7'd0)
begin
to_arm[7:1] <= to_arm[6:0];
end
end
ssp_frame = (ssp_frame_counter == 3'd7);
if (mod_type == `TAGSIM_MOD && fdt_elapsed && temp_buffer_reset)
// transmit timing information
bit_to_arm = to_arm[7];
else
// transmit data or fdt_indicator
bit_to_arm = sendbit;
end
end
end //always @(negedge adc_clk)
assign ssp_din = bit_to_arm;
// Modulating carrier (adc_clk/16, for TAGSIM_MOD only). Will be 0 for other modes.
wire modulating_carrier;
assign modulating_carrier = (mod_sig_coil & negedge_cnt[3] & (mod_type == 3'b010)); // in TAGSIM_MOD only. Otherwise always 0.
// Subcarrier (adc_clk/16, for TAGSIM_MOD only).
wire sub_carrier;
assign sub_carrier = ~sub_carrier_cnt[3];
// for READER_MOD only: drop carrier for mod_sig_coil==1 (pause), READER_LISTEN: carrier always on, others: carrier always off
assign pwr_hi = (ck_1356megb & (((mod_type == 3'b100) & ~mod_sig_coil) || (mod_type == 3'b011)));
// in READER_MOD: drop carrier for mod_sig_coil==1 (pause); in READER_LISTEN: carrier always on; in other modes: carrier always off
assign pwr_hi = (ck_1356megb & (((mod_type == `READER_MOD) & ~mod_sig_coil) || (mod_type == `READER_LISTEN)));
// Enable HF antenna drivers:
assign pwr_oe1 = 1'b0;
assign pwr_oe3 = 1'b0;
// TAGSIM_MOD: short circuit antenna with different resistances (modulated by modulating_carrier)
// TAGSIM_MOD: short circuit antenna with different resistances (modulated by sub_carrier modulated by mod_sig_coil)
// for pwr_oe4 = 1 (tristate): antenna load = 10k || 33 = 32,9 Ohms
// for pwr_oe4 = 0 (active): antenna load = 10k || 33 || 33 = 16,5 Ohms
assign pwr_oe4 = modulating_carrier;
assign pwr_oe4 = ~(mod_sig_coil & sub_carrier & (mod_type == `TAGSIM_MOD));
// This is all LF, so doesn't matter.
assign pwr_oe2 = 1'b0;