RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-20 15:26:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

added tiwrite command, split LF code from appmain into lfops.c

Browse source
This commit is contained in:
d18c7db 2009-07-25 11:47:43 +00:00
parent 431ae7e0eb
commit 9bea179a71
8 changed files with 1136 additions and 961 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
armsrc/Makefile
View file

@ -21,6 +21,7 @@ OBJLCD = $(OBJDIR)/fonts.o \
OBJ = $(OBJDIR)/start.o \
$(OBJDIR)/appmain.o \
$(OBJDIR)/fpga.o \
$(OBJDIR)/lfops.o \
$(OBJDIR)/iso14443.o \
$(OBJDIR)/iso14443a.o \
$(OBJDIR)/iso15693.o \

1
armsrc/Makefile.linux
View file

@ -32,6 +32,7 @@ OBJLCD = $(OBJDIR)/LCD.o\
OBJ = $(OBJDIR)/start.o \
$(OBJDIR)/appmain.o \
$(OBJDIR)/fpga.o \
$(OBJDIR)/lfops.o \
$(OBJDIR)/iso15693.o \
$(OBJDIR)/util.o

1285
armsrc/appmain.c
View file

File diff suppressed because it is too large Load diff

20
armsrc/apps.h
View file

@ -7,7 +7,11 @@
#ifndef __APPS_H
#define __APPS_H
/// appmain.c
// The large multi-purpose buffer, typically used to hold A/D samples,
// maybe processed in some way.
DWORD BigBuf[16000];
/// appmain.h
void ReadMem(int addr);
void AppMain(void);
void SamyRun(void);
@ -22,7 +26,7 @@ extern int ToSendMax;
extern BYTE ToSend[];
extern DWORD BigBuf[];
/// fpga.c
/// fpga.h
void FpgaSendCommand(WORD cmd, WORD v);
void FpgaWriteConfWord(BYTE v);
void FpgaDownloadAndGo(void);
@ -58,6 +62,18 @@ void SetAdcMuxFor(int whichGpio);
#define FPGA_HF_ISO14443A_READER_LISTEN (3<<0)
#define FPGA_HF_ISO14443A_READER_MOD (4<<0)
/// lfops.h
void AcquireRawAdcSamples125k(BOOL at134khz);
void DoAcquisition125k(BOOL at134khz);
void ModThenAcquireRawAdcSamples125k(int delay_off,int period_0,int period_1,BYTE *command);
void ReadTItag();
void WriteTItag(DWORD idhi, DWORD idlo, WORD crc);
void AcquireTiType(void);
void AcquireRawBitsTI(void);
void SimulateTagLowFrequency(int period, int ledcontrol);
void CmdHIDsimTAG(int hi, int lo, int ledcontrol);
void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol);
/// iso14443.h
void SimulateIso14443Tag(void);
void AcquireRawAdcSamplesIso14443(DWORD parameter);

654
armsrc/lfops.c Normal file
View file

@ -0,0 +1,654 @@
//-----------------------------------------------------------------------------
// Miscellaneous routines for low frequency tag operations.
// Tags supported here so far are Texas Instruments (TI), HID
// Also routines for raw mode reading/simulating of LF waveform
//
//-----------------------------------------------------------------------------
#include <proxmark3.h>
#include "apps.h"
#include "../common/crc16.c"
void AcquireRawAdcSamples125k(BOOL at134khz)
{
if(at134khz) {
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
} else {
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
}
// Connect the A/D to the peak-detected low-frequency path.
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
// Give it a bit of time for the resonant antenna to settle.
SpinDelay(50);
// Now set up the SSC to get the ADC samples that are now streaming at us.
FpgaSetupSsc();
// Now call the acquisition routine
DoAcquisition125k(at134khz);
}
// split into two routines so we can avoid timing issues after sending commands //
void DoAcquisition125k(BOOL at134khz)
{
BYTE *dest = (BYTE *)BigBuf;
int n = sizeof(BigBuf);
int i;
memset(dest,0,n);
i = 0;
for(;;) {
if(SSC_STATUS & (SSC_STATUS_TX_READY)) {
SSC_TRANSMIT_HOLDING = 0x43;
LED_D_ON();
}
if(SSC_STATUS & (SSC_STATUS_RX_READY)) {
dest[i] = (BYTE)SSC_RECEIVE_HOLDING;
i++;
LED_D_OFF();
if(i >= n) {
break;
}
}
}
DbpIntegers(dest[0], dest[1], at134khz);
}
void ModThenAcquireRawAdcSamples125k(int delay_off,int period_0,int period_1,BYTE *command)
{
BOOL at134khz;
// see if 'h' was specified
if(command[strlen((char *) command) - 1] == 'h')
at134khz= TRUE;
else
at134khz= FALSE;
if(at134khz) {
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
} else {
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
}
// Give it a bit of time for the resonant antenna to settle.
SpinDelay(50);
// Now set up the SSC to get the ADC samples that are now streaming at us.
FpgaSetupSsc();
// now modulate the reader field
while(*command != '\0' && *command != ' ')
{
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LED_D_OFF();
SpinDelayUs(delay_off);
if(at134khz) {
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
} else {
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
}
LED_D_ON();
if(*(command++) == '0')
SpinDelayUs(period_0);
else
SpinDelayUs(period_1);
}
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LED_D_OFF();
SpinDelayUs(delay_off);
if(at134khz) {
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
} else {
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
}
// now do the read
DoAcquisition125k(at134khz);
}
void AcquireTiType(void)
{
int i;
// tag transmission is <20ms, sampling at 2M gives us 40K samples max
// each sample is 1 bit stuffed into a DWORD so we need 1250 DWORDS
int n = 1250;
// clear buffer
memset(BigBuf,0,sizeof(BigBuf));
// Set up the synchronous serial port
PIO_DISABLE = (1<<GPIO_SSC_DIN);
PIO_PERIPHERAL_A_SEL = (1<<GPIO_SSC_DIN);
// steal this pin from the SSP and use it to control the modulation
PIO_ENABLE = (1<<GPIO_SSC_DOUT);
PIO_OUTPUT_ENABLE = (1<<GPIO_SSC_DOUT);
SSC_CONTROL = SSC_CONTROL_RESET;
SSC_CONTROL = SSC_CONTROL_RX_ENABLE | SSC_CONTROL_TX_ENABLE;
// Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
// 48/2 = 24 MHz clock must be divided by 12
SSC_CLOCK_DIVISOR = 12;
SSC_RECEIVE_CLOCK_MODE = SSC_CLOCK_MODE_SELECT(0);
SSC_RECEIVE_FRAME_MODE = SSC_FRAME_MODE_BITS_IN_WORD(32) | SSC_FRAME_MODE_MSB_FIRST;
SSC_TRANSMIT_CLOCK_MODE = 0;
SSC_TRANSMIT_FRAME_MODE = 0;
LED_D_ON();
// modulate antenna
PIO_OUTPUT_DATA_SET = (1<<GPIO_SSC_DOUT);
// Charge TI tag for 50ms.
SpinDelay(50);
// stop modulating antenna and listen
PIO_OUTPUT_DATA_CLEAR = (1<<GPIO_SSC_DOUT);
LED_D_OFF();
i = 0;
for(;;) {
if(SSC_STATUS & SSC_STATUS_RX_READY) {
BigBuf[i] = SSC_RECEIVE_HOLDING; // store 32 bit values in buffer
i++; if(i >= n) return;
}
WDT_HIT();
}
// return stolen pin to SSP
PIO_DISABLE = (1<<GPIO_SSC_DOUT);
PIO_PERIPHERAL_A_SEL = (1<<GPIO_SSC_DIN) | (1<<GPIO_SSC_DOUT);
}
void ReadTItag()
{
}
void WriteTIbyte(BYTE b)
{
int i = 0;
// modulate 8 bits out to the antenna
for (i=0; i<8; i++)
{
if (b&(1<<i)) {
// stop modulating antenna
PIO_OUTPUT_DATA_CLEAR = (1<<GPIO_SSC_DOUT);
SpinDelayUs(1000);
// modulate antenna
PIO_OUTPUT_DATA_SET = (1<<GPIO_SSC_DOUT);
SpinDelayUs(1000);
} else {
// stop modulating antenna
PIO_OUTPUT_DATA_CLEAR = (1<<GPIO_SSC_DOUT);
SpinDelayUs(300);
// modulate antenna
PIO_OUTPUT_DATA_SET = (1<<GPIO_SSC_DOUT);
SpinDelayUs(1700);
}
}
}
void AcquireRawBitsTI(void)
{
// TI tags charge at 134.2Khz
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
// Place FPGA in passthrough mode, in this mode the CROSS_LO line
// connects to SSP_DIN and the SSP_DOUT logic level controls
// whether we're modulating the antenna (high)
// or listening to the antenna (low)
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
// get TI tag data into the buffer
AcquireTiType();
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
}
// this is a dummy function to get around
// a possible flash bug in the bootloader
// delete once you've added more code.
void DummyDummyDummy(void)
{
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
AcquireTiType();
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
}
// arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
// if crc provided, it will be written with the data verbatim (even if bogus)
// if not provided a valid crc will be computed from the data and written.
void WriteTItag(DWORD idhi, DWORD idlo, WORD crc)
{
// WARNING the order of the bytes in which we calc crc below needs checking
// i'm 99% sure the crc algorithm is correct, but it may need to eat the
// bytes in reverse or something
if(crc == 0) {
crc = update_crc16(crc, (idlo)&0xff);
crc = update_crc16(crc, (idlo>>8)&0xff);
crc = update_crc16(crc, (idlo>>16)&0xff);
crc = update_crc16(crc, (idlo>>24)&0xff);
crc = update_crc16(crc, (idhi)&0xff);
crc = update_crc16(crc, (idhi>>8)&0xff);
crc = update_crc16(crc, (idhi>>16)&0xff);
crc = update_crc16(crc, (idhi>>24)&0xff);
}
DbpString("Writing the following data to tag:");
DbpIntegers(idhi, idlo, crc);
// TI tags charge at 134.2Khz
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
// Place FPGA in passthrough mode, in this mode the CROSS_LO line
// connects to SSP_DIN and the SSP_DOUT logic level controls
// whether we're modulating the antenna (high)
// or listening to the antenna (low)
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
LED_A_ON();
// steal this pin from the SSP and use it to control the modulation
PIO_ENABLE = (1<<GPIO_SSC_DOUT);
PIO_OUTPUT_ENABLE = (1<<GPIO_SSC_DOUT);
// writing algorithm:
// a high bit consists of a field off for 1ms and field on for 1ms
// a low bit consists of a field off for 0.3ms and field on for 1.7ms
// initiate a charge time of 50ms (field on) then immediately start writing bits
// start by writing 0xBB (keyword) and 0xEB (password)
// then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
// finally end with 0x0300 (write frame)
// all data is sent lsb firts
// finish with 15ms programming time
// modulate antenna
PIO_OUTPUT_DATA_SET = (1<<GPIO_SSC_DOUT);
SpinDelay(50); // charge time
WriteTIbyte(0xbb); // keyword
WriteTIbyte(0xeb); // password
WriteTIbyte( (idlo )&0xff );
WriteTIbyte( (idlo>>8 )&0xff );
WriteTIbyte( (idlo>>16)&0xff );
WriteTIbyte( (idlo>>24)&0xff );
WriteTIbyte( (idhi )&0xff );
WriteTIbyte( (idhi>>8 )&0xff );
WriteTIbyte( (idhi>>16)&0xff );
WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
WriteTIbyte( (crc )&0xff ); // crc lo
WriteTIbyte( (crc>>8 )&0xff ); // crc hi
WriteTIbyte(0x00); // write frame lo
WriteTIbyte(0x03); // write frame hi
PIO_OUTPUT_DATA_SET = (1<<GPIO_SSC_DOUT);
SpinDelay(50); // programming time
LED_A_OFF();
// get TI tag data into the buffer
AcquireTiType();
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
DbpString("Now use tibits and tidemod");
}
void SimulateTagLowFrequency(int period, int ledcontrol)
{
int i;
BYTE *tab = (BYTE *)BigBuf;
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_SIMULATOR);
PIO_ENABLE = (1 << GPIO_SSC_DOUT) | (1 << GPIO_SSC_CLK);
PIO_OUTPUT_ENABLE = (1 << GPIO_SSC_DOUT);
PIO_OUTPUT_DISABLE = (1 << GPIO_SSC_CLK);
#define SHORT_COIL() LOW(GPIO_SSC_DOUT)
#define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
i = 0;
for(;;) {
while(!(PIO_PIN_DATA_STATUS & (1<<GPIO_SSC_CLK))) {
if(BUTTON_PRESS()) {
DbpString("Stopped");
return;
}
WDT_HIT();
}
if (ledcontrol)
LED_D_ON();
if(tab[i])
OPEN_COIL();
else
SHORT_COIL();
if (ledcontrol)
LED_D_OFF();
while(PIO_PIN_DATA_STATUS & (1<<GPIO_SSC_CLK)) {
if(BUTTON_PRESS()) {
DbpString("Stopped");
return;
}
WDT_HIT();
}
i++;
if(i == period) i = 0;
}
}
// compose fc/8 fc/10 waveform
static void fc(int c, int *n) {
BYTE *dest = (BYTE *)BigBuf;
int idx;
// for when we want an fc8 pattern every 4 logical bits
if(c==0) {
dest[((*n)++)]=1;
dest[((*n)++)]=1;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
}
// an fc/8 encoded bit is a bit pattern of 11000000 x6 = 48 samples
if(c==8) {
for (idx=0; idx<6; idx++) {
dest[((*n)++)]=1;
dest[((*n)++)]=1;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
}
}
// an fc/10 encoded bit is a bit pattern of 1110000000 x5 = 50 samples
if(c==10) {
for (idx=0; idx<5; idx++) {
dest[((*n)++)]=1;
dest[((*n)++)]=1;
dest[((*n)++)]=1;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
dest[((*n)++)]=0;
}
}
}
// prepare a waveform pattern in the buffer based on the ID given then
// simulate a HID tag until the button is pressed
void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
{
int n=0, i=0;
/*
HID tag bitstream format
The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
A 1 bit is represented as 6 fc8 and 5 fc10 patterns
A 0 bit is represented as 5 fc10 and 6 fc8 patterns
A fc8 is inserted before every 4 bits
A special start of frame pattern is used consisting a0b0 where a and b are neither 0
nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
*/
if (hi>0xFFF) {
DbpString("Tags can only have 44 bits.");
return;
}
fc(0,&n);
// special start of frame marker containing invalid bit sequences
fc(8, &n); fc(8, &n); // invalid
fc(8, &n); fc(10, &n); // logical 0
fc(10, &n); fc(10, &n); // invalid
fc(8, &n); fc(10, &n); // logical 0
WDT_HIT();
// manchester encode bits 43 to 32
for (i=11; i>=0; i--) {
if ((i%4)==3) fc(0,&n);
if ((hi>>i)&1) {
fc(10, &n); fc(8, &n); // low-high transition
} else {
fc(8, &n); fc(10, &n); // high-low transition
}
}
WDT_HIT();
// manchester encode bits 31 to 0
for (i=31; i>=0; i--) {
if ((i%4)==3) fc(0,&n);
if ((lo>>i)&1) {
fc(10, &n); fc(8, &n); // low-high transition
} else {
fc(8, &n); fc(10, &n); // high-low transition
}
}
if (ledcontrol)
LED_A_ON();
SimulateTagLowFrequency(n, ledcontrol);
if (ledcontrol)
LED_A_OFF();
}
// loop to capture raw HID waveform then FSK demodulate the TAG ID from it
void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
{
BYTE *dest = (BYTE *)BigBuf;
int m=0, n=0, i=0, idx=0, found=0, lastval=0;
DWORD hi=0, lo=0;
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
// Connect the A/D to the peak-detected low-frequency path.
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
// Give it a bit of time for the resonant antenna to settle.
SpinDelay(50);
// Now set up the SSC to get the ADC samples that are now streaming at us.
FpgaSetupSsc();
for(;;) {
WDT_HIT();
if (ledcontrol)
LED_A_ON();
if(BUTTON_PRESS()) {
DbpString("Stopped");
if (ledcontrol)
LED_A_OFF();
return;
}
i = 0;
m = sizeof(BigBuf);
memset(dest,128,m);
for(;;) {
if(SSC_STATUS & (SSC_STATUS_TX_READY)) {
SSC_TRANSMIT_HOLDING = 0x43;
if (ledcontrol)
LED_D_ON();
}
if(SSC_STATUS & (SSC_STATUS_RX_READY)) {
dest[i] = (BYTE)SSC_RECEIVE_HOLDING;
// we don't care about actual value, only if it's more or less than a
// threshold essentially we capture zero crossings for later analysis
if(dest[i] < 127) dest[i] = 0; else dest[i] = 1;
i++;
if (ledcontrol)
LED_D_OFF();
if(i >= m) {
break;
}
}
}
// FSK demodulator
// sync to first lo-hi transition
for( idx=1; idx<m; idx++) {
if (dest[idx-1]<dest[idx])
lastval=idx;
break;
}
WDT_HIT();
// count cycles between consecutive lo-hi transitions, there should be either 8 (fc/8)
// or 10 (fc/10) cycles but in practice due to noise etc we may end up with with anywhere
// between 7 to 11 cycles so fuzz it by treat anything <9 as 8 and anything else as 10
for( i=0; idx<m; idx++) {
if (dest[idx-1]<dest[idx]) {
dest[i]=idx-lastval;
if (dest[i] <= 8) {
dest[i]=1;
} else {
dest[i]=0;
}
lastval=idx;
i++;
}
}
m=i;
WDT_HIT();
// we now have a set of cycle counts, loop over previous results and aggregate data into bit patterns
lastval=dest[0];
idx=0;
i=0;
n=0;
for( idx=0; idx<m; idx++) {
if (dest[idx]==lastval) {
n++;
} else {
// a bit time is five fc/10 or six fc/8 cycles so figure out how many bits a pattern width represents,
// an extra fc/8 pattern preceeds every 4 bits (about 200 cycles) just to complicate things but it gets
// swallowed up by rounding
// expected results are 1 or 2 bits, any more and it's an invalid manchester encoding
// special start of frame markers use invalid manchester states (no transitions) by using sequences
// like 111000
if (dest[idx-1]) {
n=(n+1)/6; // fc/8 in sets of 6
} else {
n=(n+1)/5; // fc/10 in sets of 5
}
switch (n) { // stuff appropriate bits in buffer
case 0:
case 1: // one bit
dest[i++]=dest[idx-1];
break;
case 2: // two bits
dest[i++]=dest[idx-1];
dest[i++]=dest[idx-1];
break;
case 3: // 3 bit start of frame markers
dest[i++]=dest[idx-1];
dest[i++]=dest[idx-1];
dest[i++]=dest[idx-1];
break;
// When a logic 0 is immediately followed by the start of the next transmisson
// (special pattern) a pattern of 4 bit duration lengths is created.
case 4:
dest[i++]=dest[idx-1];
dest[i++]=dest[idx-1];
dest[i++]=dest[idx-1];
dest[i++]=dest[idx-1];
break;
default: // this shouldn't happen, don't stuff any bits
break;
}
n=0;
lastval=dest[idx];
}
}
m=i;
WDT_HIT();
// final loop, go over previously decoded manchester data and decode into usable tag ID
// 111000 bit pattern represent start of frame, 01 pattern represents a 1 and 10 represents a 0
for( idx=0; idx<m-6; idx++) {
// search for a start of frame marker
if ( dest[idx] && dest[idx+1] && dest[idx+2] && (!dest[idx+3]) && (!dest[idx+4]) && (!dest[idx+5]) )
{
found=1;
idx+=6;
if (found && (hi|lo)) {
DbpString("TAG ID");
DbpIntegers(hi, lo, (lo>>1)&0xffff);
/* if we're only looking for one tag */
if (findone)
{
*high = hi;
*low = lo;
return;
}
hi=0;
lo=0;
found=0;
}
}
if (found) {
if (dest[idx] && (!dest[idx+1]) ) {
hi=(hi<<1)|(lo>>31);
lo=(lo<<1)|0;
} else if ( (!dest[idx]) && dest[idx+1]) {
hi=(hi<<1)|(lo>>31);
lo=(lo<<1)|1;
} else {
found=0;
hi=0;
lo=0;
}
idx++;
}
if ( dest[idx] && dest[idx+1] && dest[idx+2] && (!dest[idx+3]) && (!dest[idx+4]) && (!dest[idx+5]) )
{
found=1;
idx+=6;
if (found && (hi|lo)) {
DbpString("TAG ID");
DbpIntegers(hi, lo, (lo>>1)&0xffff);
/* if we're only looking for one tag */
if (findone)
{
*high = hi;
*low = lo;
return;
}
hi=0;
lo=0;
found=0;
}
}
}
WDT_HIT();
}
}

4
common/crc16.c
View file

@ -1,4 +1,4 @@
unsigned short update_crc16( WORD crc, BYTE c ) {
WORD update_crc16( WORD crc, BYTE c ) {
WORD i, v, tcrc = 0;
v = (crc ^ c) & 0xff;
@ -7,5 +7,5 @@ unsigned short update_crc16( WORD crc, BYTE c ) {
v >>= 1;
}
return (crc >> 8) ^ tcrc;
return ((crc >> 8) ^ tcrc)&0xffff;
}

89
include/usb_cmd.h
View file

@ -20,60 +20,59 @@ typedef struct {
} UsbCommand;
// For the bootloader
#define CMD_DEVICE_INFO 0x0000
#define CMD_SETUP_WRITE 0x0001
#define CMD_FINISH_WRITE 0x0003
#define CMD_HARDWARE_RESET 0x0004
#define CMD_START_FLASH 0x0005
#define CMD_ACK 0x00ff
#define CMD_DEVICE_INFO 0x0000
#define CMD_SETUP_WRITE 0x0001
#define CMD_FINISH_WRITE 0x0003
#define CMD_HARDWARE_RESET 0x0004
#define CMD_START_FLASH 0x0005
#define CMD_ACK 0x00ff
// For general mucking around
#define CMD_DEBUG_PRINT_STRING 0x0100
#define CMD_DEBUG_PRINT_INTEGERS 0x0101
#define CMD_DEBUG_PRINT_BYTES 0x0102
#define CMD_LCD_RESET 0x0103
#define CMD_LCD 0x0104
#define CMD_BUFF_CLEAR 0x0105
#define CMD_READ_MEM 0x0106
#define CMD_DEBUG_PRINT_STRING 0x0100
#define CMD_DEBUG_PRINT_INTEGERS 0x0101
#define CMD_DEBUG_PRINT_BYTES 0x0102
#define CMD_LCD_RESET 0x0103
#define CMD_LCD 0x0104
#define CMD_BUFF_CLEAR 0x0105
#define CMD_READ_MEM 0x0106
// For low-frequency tags
#define CMD_ACQUIRE_RAW_BITS_TI_TYPE 0x0200
#define CMD_DOWNLOAD_RAW_BITS_TI_TYPE 0x0201
#define CMD_DOWNLOADED_RAW_BITS_TI_TYPE 0x0202
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_125K 0x0203
#define CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K 0x0204
#define CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K 0x0205
#define CMD_DOWNLOADED_SIM_SAMPLES_125K 0x0206
#define CMD_SIMULATE_TAG_125K 0x0207
#define CMD_HID_DEMOD_FSK 0x0208 // ## New command: demodulate HID tag ID
#define CMD_HID_SIM_TAG 0x0209 // ## New command: simulate HID tag by ID
#define CMD_SET_LF_DIVISOR 0x020A
#define CMD_SWEEP_LF 0x020B
#define CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K 0x020C
#define CMD_ACQUIRE_RAW_BITS_TI_TYPE 0x0200
#define CMD_DOWNLOAD_RAW_BITS_TI_TYPE 0x0201
#define CMD_READ_TI_TYPE 0x0202
#define CMD_WRITE_TI_TYPE 0x0203
#define CMD_DOWNLOADED_RAW_BITS_TI_TYPE 0x0204
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_125K 0x0205
#define CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K 0x0206
#define CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K 0x0207
#define CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K 0x0208
#define CMD_DOWNLOADED_SIM_SAMPLES_125K 0x0209
#define CMD_SIMULATE_TAG_125K 0x020A
#define CMD_HID_DEMOD_FSK 0x020B
#define CMD_HID_SIM_TAG 0x020C
#define CMD_SET_LF_DIVISOR 0x020D
// For the 13.56 MHz tags
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693 0x0300
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443 0x0301
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443_SIM 0x0302
#define CMD_READ_SRI512_TAG 0x0303
#define CMD_READER_ISO_15693 0x0310 // ## New command to act like a 15693 reader - greg
#define CMD_SIMTAG_ISO_15693 0x0311 // ## New command to act like a 15693 reader - greg
#define CMD_SIMULATE_TAG_HF_LISTEN 0x0380
#define CMD_SIMULATE_TAG_ISO_14443 0x0381
#define CMD_SNOOP_ISO_14443 0x0382
#define CMD_SNOOP_ISO_14443a 0x0383 // ## New snoop command
#define CMD_SIMULATE_TAG_ISO_14443a 0x0384 // ## New command: Simulate tag 14443a
#define CMD_READER_ISO_14443a 0x0385 // ## New command to act like a 14443a reader
#define CMD_SIMULATE_MIFARE_CARD 0x0386
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693 0x0300
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443 0x0301
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443_SIM 0x0302
#define CMD_READ_SRI512_TAG 0x0303
#define CMD_READER_ISO_15693 0x0310
#define CMD_SIMTAG_ISO_15693 0x0311
#define CMD_SIMULATE_TAG_HF_LISTEN 0x0380
#define CMD_SIMULATE_TAG_ISO_14443 0x0381
#define CMD_SNOOP_ISO_14443 0x0382
#define CMD_SNOOP_ISO_14443a 0x0383
#define CMD_SIMULATE_TAG_ISO_14443a 0x0384
#define CMD_READER_ISO_14443a 0x0385
#define CMD_SIMULATE_MIFARE_CARD 0x0386
// For measurements of the antenna tuning
#define CMD_MEASURE_ANTENNA_TUNING 0x0400
#define CMD_MEASURED_ANTENNA_TUNING 0x0401
#define CMD_LISTEN_READER_FIELD 0x0402
#define CMD_MEASURE_ANTENNA_TUNING 0x0400
#define CMD_MEASURED_ANTENNA_TUNING 0x0401
#define CMD_LISTEN_READER_FIELD 0x0402
// For direct FPGA control
#define CMD_FPGA_MAJOR_MODE_OFF 0x0500 // ## FPGA Control
#define CMD_TEST 0x0501
#define CMD_FPGA_MAJOR_MODE_OFF 0x0500
#endif

43
winsrc/command.cpp
View file

@ -1395,14 +1395,14 @@ static void CmdHi15demod(char *str)
PrintToScrollback("CRC=%04x", Iso15693Crc(outBuf, k-2));
}
static void CmdTiread(char *str)
static void CmdTIReadRaw(char *str)
{
UsbCommand c;
c.cmd = CMD_ACQUIRE_RAW_BITS_TI_TYPE;
SendCommand(&c, FALSE);
}
static void CmdTibits(char *str)
static void CmdTIBits(char *str)
{
int cnt = 0;
int i;
@ -1554,7 +1554,30 @@ static void CmdFSKdemod(char *cmdline)
PrintToScrollback("hex: %08x %08x", hi, lo);
}
static void CmdTidemod(char *cmdline)
// read a TI tag and return its ID
static void CmdTIRead(char *str)
{
UsbCommand c;
c.cmd = CMD_READ_TI_TYPE;
SendCommand(&c, FALSE);
}
// write new data to a r/w TI tag
static void CmdTIWrite(char *str)
{
UsbCommand c;
int res=0;
c.cmd = CMD_WRITE_TI_TYPE;
res = sscanf(str, "0x%x 0x%x 0x%x ", &c.ext1, &c.ext2, &c.ext3);
if (res == 2) c.ext3=0;
if (res<2)
PrintToScrollback("Please specify 2 or three hex strings, eg 0x1234 0x5678");
else
SendCommand(&c, FALSE);
}
static void CmdTIDemod(char *cmdline)
{
/* MATLAB as follows:
f_s = 2000000; % sampling frequency
@ -1754,9 +1777,13 @@ h = sign(sin(cumsum(h)));
// align 16 bit "end bits" or "ident" into lower half of shift3
shift3 >>= 16;
if ( (shift3^shift0)&0xffff ) {
// only 15 bits compare, last bit of ident is not valid
if ( (shift3^shift0)&0x7fff ) {
PrintToScrollback("Error: Ident mismatch!");
}
// WARNING the order of the bytes in which we calc crc below needs checking
// i'm 99% sure the crc algorithm is correct, but it may need to eat the
// bytes in reverse or something
// calculate CRC
crc=0;
crc = update_crc16(crc, (shift0)&0xff);
@ -2841,9 +2868,11 @@ static struct {
{"scale", CmdScale, 1, "<int> -- Set cursor display scale"},
{"setlfdivisor", CmdSetDivisor, 0, "<19 - 255> -- Drive LF antenna at 12Mhz/(divisor+1)"},
{"sri512read", CmdSri512read, 0, "<int> -- Read contents of a SRI512 tag"},
{"tibits", CmdTibits, 0, "Get raw bits for TI-type LF tag"},
{"tidemod", CmdTidemod, 1, "Demodulate raw bits for TI-type LF tag"},
{"tiread", CmdTiread, 0, "Read a TI-type 134 kHz tag"},
{"tibits", CmdTIBits, 0, "Get raw bits for TI-type LF tag"},
{"tidemod", CmdTIDemod, 1, "Demodulate raw bits for TI-type LF tag"},
{"tireadraw", CmdTIReadRaw, 0, "Read a TI-type 134 kHz tag in raw mode"},
{"tiread", CmdTIRead, 0, "Read and decode a TI 134 kHz tag"},
{"tiwrite", CmdTIWrite, 0, "Write new data to a r/w TI 134 kHz tag"},
{"threshold", CmdThreshold, 1, "Maximize/minimize every value in the graph window depending on threshold"},
{"tune", CmdTune, 0, "Measure antenna tuning"},
{"vchdemod", CmdVchdemod, 0, "['clone'] -- Demodulate samples for VeriChip"},