dash/proxmark3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ADD: @marshmellows fixes for t55x7 reading signal.

Browse Source 
ADD: @marshmellows "diphase" definition for T55x7.
MOV: extracted the aquisition from the t55x7 methods and put them inside lfsampling.c
FIX: pcf7931 write,   there is 16bytes in a block.. not 4 as I thought before.
FIX: t55x7 lowered the WRITE_0 to 16.  Even bigger gap.
This commit is contained in:
iceman1001
2015-10-15 10:23:15 +02:00
parent 368044201a
commit ac2df3460a
10 changed files with 146 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
armsrc/appmain.c
View File

@@ -994,7 +994,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
cmd_send(CMD_ACK,0,0,0,0,0);
break;
case CMD_PCF7931_WRITE:
WritePCF7931(c->d.asDwords[0],c->d.asDwords[1],c->d.asDwords[2],c->d.asDwords[3],c->d.asDwords[4],c->d.asDwords[5],c->d.asDwords[6], c->d.asDwords[9], c->d.asDwords[7]-128,c->d.asDwords[8]-128, c->arg[0], c->arg[1], c->arg[2]);
WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
break;
case CMD_EM4X_READ_WORD:
EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);

10
armsrc/apps.h
View File

@@ -95,16 +95,6 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
void CopyViKingtoT55x7(uint32_t block1,uint32_t block2);
/// pcf7931.h
int DemodPCF7931(uint8_t **outBlocks);
int IsBlock0PCF7931(uint8_t *Block);
int IsBlock1PCF7931(uint8_t *Block);
void ReadPCF7931();
void SendCmdPCF7931(uint32_t * tab);
bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p);
bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p);
bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab);
void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data);
/// iso14443.h
void SimulateIso14443bTag(void);

110
armsrc/lfops.c
View File

@@ -1096,6 +1096,7 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
#define T55x7_MODULATION_FSK2a 0x00007000
#define T55x7_MODULATION_MANCHESTER 0x00008000
#define T55x7_MODULATION_BIPHASE 0x00010000
#define T55x7_MODULATION_DIPHASE 0x00018000
//#define T55x7_MODULATION_BIPHASE57 0x00011000
#define T55x7_BITRATE_RF_8 0
#define T55x7_BITRATE_RF_16 0x00040000
@@ -1135,7 +1136,7 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
#define START_GAP 50*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
#define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
#define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
#define WRITE_0 16*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
#define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550
// VALUES TAKEN FROM EM4x function: SendForward
@@ -1152,7 +1153,6 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
// T0 = TIMER_CLOCK1 / 125000 = 192
// 1 Cycle = 8 microseconds(us)
#define T55xx_SAMPLES_SIZE 12000 // 32 x 32 x 10 (32 bit times numofblock (7), times clock skip..)
// Write one bit to card
void T55xxWriteBit(int bit)
@@ -1175,7 +1175,7 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod
// Set up FPGA, 125kHz
// Wait for config.. (192+8190xPOW)x8 == 67ms
LFSetupFPGAForADC(0, true);
LFSetupFPGAForADC(95, true);
// Now start writting
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
@@ -1208,124 +1208,82 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
}
void TurnReadLFOn(){
void TurnReadLFOn(int delay){
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
// Give it a bit of time for the resonant antenna to settle.
SpinDelayUs(300);
SpinDelayUs(delay);
}
// Read one card block in page 0
void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode)
{
uint32_t i = 0;
uint8_t *dest = BigBuf_get_addr();
uint16_t bufferlength = BigBuf_max_traceLen();
if ( bufferlength > T55xx_SAMPLES_SIZE )
bufferlength = T55xx_SAMPLES_SIZE;
// Clear destination buffer before sending the command
memset(dest, 0x80, bufferlength);
//make sure block is at max 7
Block &= 0x7;
// Set up FPGA, 125kHz
// Wait for config.. (192+8190xPOW)x8 == 67ms
//LFSetupFPGAForADC(0, true);
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
// Connect the A/D to the peak-detected low-frequency path.
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
// Now set up the SSC to get the ADC samples that are now streaming at us.
FpgaSetupSsc();
// Give it a bit of time for the resonant antenna to settle.
//SpinDelayUs(8*200); //192FC
SpinDelay(50);
LFSetupFPGAForADC(95, true);
// Trigger T55x7 in mode.
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
//SpinDelayUs(START_GAP);
// Opcode
SpinDelayUs(START_GAP);
// Opcode 10
T55xxWriteBit(1);
T55xxWriteBit(0); //Page 0
if (PwdMode == 1){
// Pwd
for (i = 0x80000000; i != 0; i >>= 1)
T55xxWriteBit(Pwd & i);
}
// Lock bit
// zero bit to seperate
T55xxWriteBit(0);
// Block
for (i = 0x04; i != 0; i >>= 1)
for (i = 0x04; i != 0; i >>= 1) {
T55xxWriteBit(Block & i);
// Turn field on to read the response
TurnReadLFOn();
// Now do the acquisition
i = 0;
for(;;) {
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
AT91C_BASE_SSC->SSC_THR = 0x43;
LED_D_ON();
}
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
i++;
LED_D_OFF();
if (i >= bufferlength) break;
}
Dbprintf("ice %d",i);
}
// Turn field on to read the response
TurnReadLFOn(START_GAP);
// Acquisition
doT55x7Acquisition();
// field off
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
cmd_send(CMD_ACK,0,0,0,0,0);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
LED_D_OFF();
}
// Read card traceability data (page 1)
void T55xxReadTrace(void){
uint32_t i = 0;
uint8_t *dest = BigBuf_get_addr();
uint16_t bufferlength = BigBuf_max_traceLen();
if ( bufferlength > T55xx_SAMPLES_SIZE )
bufferlength= T55xx_SAMPLES_SIZE;
// Clear destination buffer before sending the command
memset(dest, 0x80, bufferlength);
LFSetupFPGAForADC(0, true);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelayUs(START_GAP);
// Opcode
// Opcode 11
T55xxWriteBit(1);
T55xxWriteBit(1); //Page 1
// Turn field on to read the response
TurnReadLFOn();
TurnReadLFOn(START_GAP);
// Now do the acquisition
for(;;) {
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
AT91C_BASE_SSC->SSC_THR = 0x43;
LED_D_ON();
}
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
i++;
LED_D_OFF();
if (i >= bufferlength) break;
}
}
// Acquisition
doT55x7Acquisition();
// field off
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
cmd_send(CMD_ACK,0,0,0,0,0);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
LED_D_OFF();
}
/*-------------- Cloning routines -----------*/
// Copy HID id to card and setup block 0 config
void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT)

57
armsrc/lfsampling.c
View File

@@ -245,7 +245,60 @@ uint32_t SampleLF(bool printCfg)
* @return number of bits sampled
**/
uint32_t SnoopLF()
{
uint32_t SnoopLF() {
return ReadLF(false, true);
}
/**
* acquisition of T55x7 LF signal. Similart to other LF, but adjusted with @marshmellows thresholds
* the data is collected in BigBuf.
**/
void doT55x7Acquisition(void){
#define T55xx_SAMPLES_SIZE 12000 // 32 x 32 x 10 (32 bit times numofblock (7), times clock skip..)
#define T55xx_READ_UPPER_THRESHOLD 128+40 // 50
#define T55xx_READ_TOL 5
//#define T55xx_READ_LOWER_THRESHOLD 128-40 //-50
uint8_t *dest = BigBuf_get_addr();
uint16_t bufsize = BigBuf_max_traceLen();
if ( bufsize > T55xx_SAMPLES_SIZE )
bufsize = T55xx_SAMPLES_SIZE;
memset(dest, 0, bufsize);
uint16_t i = 0;
bool startFound = false;
bool highFound = false;
uint8_t curSample = 0;
uint8_t firstSample = 0;
for(;;) {
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
AT91C_BASE_SSC->SSC_THR = 0x43;
LED_D_ON();
}
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
curSample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
// find first high sample
if (!startFound && curSample > T55xx_READ_UPPER_THRESHOLD) {
if (curSample > firstSample)
firstSample = curSample;
highFound = true;
} else if (!highFound) {
continue;
}
// skip until samples begin to change
if (startFound || curSample < firstSample-T55xx_READ_TOL){
if (!startFound)
dest[i++] = firstSample;
startFound = true;
dest[i++] = curSample;
LED_D_OFF();
if (i >= bufsize) break;
}
}
}
}

6
armsrc/lfsampling.h
View File

@@ -1,6 +1,12 @@
#ifndef LFSAMPLING_H
#define LFSAMPLING_H
/**
* acquisition of T55x7 LF signal. Similart to other LF, but adjusted with @marshmellows thresholds
* the data is collected in BigBuf.
**/
void doT55x7Acquisition(void);
/**
* Initializes the FPGA for reader-mode (field on), and acquires the samples.
* @return number of bits sampled

4
armsrc/pcf7931.c
View File

@@ -1,4 +1,8 @@
#include "proxmark3.h"
#include "apps.h"
#include "lfsampling.h"
#include "pcf7931.h"
#include "string.h"
#define T0_PCF 8 //period for the pcf7931 in us
#define ALLOC 16

12
armsrc/pcf7931.h
View File

@@ -1,8 +1,14 @@
#ifndef __PCF7931_H
#define __PCF7931_H
#include "proxmark3.h"
#include "apps.h"
#include "lfsampling.h"
int DemodPCF7931(uint8_t **outBlocks);
int IsBlock0PCF7931(uint8_t *Block);
int IsBlock1PCF7931(uint8_t *Block);
void ReadPCF7931();
void SendCmdPCF7931(uint32_t * tab);
bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p);
bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p);
bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab);
void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data);
#endif