ADD: @marshmellows fixes for t55x7 reading signal.

ADD: @marshmellows "diphase" definition for T55x7. MOV: extracted the aquisition from the t55x7 methods and put them inside lfsampling.c FIX: pcf7931 write, there is 16bytes in a block.. not 4 as I thought before. FIX: t55x7 lowered the WRITE_0 to 16. Even bigger gap.
2025-08-20 13:23:51 -07:00 · 2015-10-15 10:23:15 +02:00 · 2015-10-15 10:23:15 +02:00 · ac2df3460a
commit ac2df3460a
parent 368044201a
10 changed files with 146 additions and 117 deletions
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@ -994,7 +994,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
 			cmd_send(CMD_ACK,0,0,0,0,0);
 			break;
 		case CMD_PCF7931_WRITE:
-			WritePCF7931(c->d.asDwords[0],c->d.asDwords[1],c->d.asDwords[2],c->d.asDwords[3],c->d.asDwords[4],c->d.asDwords[5],c->d.asDwords[6], c->d.asDwords[9], c->d.asDwords[7]-128,c->d.asDwords[8]-128, c->arg[0], c->arg[1], c->arg[2]);
+			WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
 			break;
 		case CMD_EM4X_READ_WORD:
 			EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
--- a/armsrc/apps.h
+++ b/armsrc/apps.h
@ -95,16 +95,6 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
 void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
 void CopyViKingtoT55x7(uint32_t block1,uint32_t block2);
 /// pcf7931.h
 int DemodPCF7931(uint8_t **outBlocks);
 int IsBlock0PCF7931(uint8_t *Block);
 int IsBlock1PCF7931(uint8_t *Block);
 void ReadPCF7931();
 void SendCmdPCF7931(uint32_t * tab);
 bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p);
 bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p);
 bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab);
 void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data);
 /// iso14443.h
 void SimulateIso14443bTag(void);
--- a/armsrc/lfops.c
+++ b/armsrc/lfops.c
@ -1096,6 +1096,7 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
 #define T55x7_MODULATION_FSK2a		0x00007000
 #define T55x7_MODULATION_MANCHESTER	0x00008000
 #define T55x7_MODULATION_BIPHASE	0x00010000
 #define T55x7_MODULATION_DIPHASE	0x00018000
 //#define T55x7_MODULATION_BIPHASE57	0x00011000
 #define T55x7_BITRATE_RF_8			0
 #define T55x7_BITRATE_RF_16			0x00040000
@ -1135,7 +1136,7 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
 #define START_GAP 50*8 // was 250 // SPEC:  1*8 to 50*8 - typ 15*8 (or 15fc)
 #define WRITE_GAP 20*8 // was 160 // SPEC:  1*8 to 20*8 - typ 10*8 (or 10fc)
-#define WRITE_0   18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
+#define WRITE_0   16*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
 #define WRITE_1   50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc)  432 for T55x7; 448 for E5550
 //  VALUES TAKEN FROM EM4x function: SendForward
@ -1152,7 +1153,6 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
 // T0 = TIMER_CLOCK1 / 125000 = 192
 // 1 Cycle = 8 microseconds(us)
 #define T55xx_SAMPLES_SIZE      12000 // 32 x 32 x 10  (32 bit times numofblock (7), times clock skip..)
 // Write one bit to card
 void T55xxWriteBit(int bit)
@ -1175,7 +1175,7 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod
 	// Set up FPGA, 125kHz
 	// Wait for config.. (192+8190xPOW)x8 == 67ms
-	LFSetupFPGAForADC(0, true);
+	LFSetupFPGAForADC(95, true);
 	// Now start writting
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
@ -1208,124 +1208,82 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 }
-void TurnReadLFOn(){
+void TurnReadLFOn(int delay){
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
 	// Give it a bit of time for the resonant antenna to settle.
-	SpinDelayUs(300);
+	SpinDelayUs(delay);
 }
 // Read one card block in page 0
 void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode)
 {
 	uint32_t i = 0;
 	uint8_t *dest = BigBuf_get_addr();
 	uint16_t bufferlength = BigBuf_max_traceLen();
 	if ( bufferlength > T55xx_SAMPLES_SIZE )
 		bufferlength = T55xx_SAMPLES_SIZE;
-	// Clear destination buffer before sending the command
+	//make sure block is at max 7
-	memset(dest, 0x80, bufferlength);
+	Block &= 0x7;
 	// Set up FPGA, 125kHz
-	// Wait for config.. (192+8190xPOW)x8 == 67ms
+	LFSetupFPGAForADC(95, true);
 	//LFSetupFPGAForADC(0, true);
 	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
 	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
 	// Connect the A/D to the peak-detected low-frequency path.
 	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
 	// Now set up the SSC to get the ADC samples that are now streaming at us.
 	FpgaSetupSsc();
 	// Give it a bit of time for the resonant antenna to settle.
 	//SpinDelayUs(8*200);  //192FC
 	SpinDelay(50);
 	// Trigger T55x7 in mode.
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	//SpinDelayUs(START_GAP);
+	SpinDelayUs(START_GAP);
-	// Opcode
+	// Opcode 10
 	T55xxWriteBit(1);
 	T55xxWriteBit(0); //Page 0
 	if (PwdMode == 1){
 		// Pwd
 		for (i = 0x80000000; i != 0; i >>= 1)
 			T55xxWriteBit(Pwd & i);
 	}
-	// Lock bit
+	// zero bit to seperate
 	T55xxWriteBit(0);
 	// Block
 	for (i = 0x04; i != 0; i >>= 1)
 		T55xxWriteBit(Block & i);
-	// Turn field on to read the response
+	// Block
-	TurnReadLFOn();
+	for (i = 0x04; i != 0; i >>= 1) {
-	// Now do the acquisition
+		T55xxWriteBit(Block & i);
-	i = 0;
+		Dbprintf("ice %d",i);
 	for(;;) {
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
 			AT91C_BASE_SSC->SSC_THR = 0x43;
 			LED_D_ON();
 		}
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
 			dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
 			i++;
 			LED_D_OFF();
 			if (i >= bufferlength) break;
 		}
 	}
 	// Turn field on to read the response
 	TurnReadLFOn(START_GAP);
 	// Acquisition
 	doT55x7Acquisition();
 	// field off
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	cmd_send(CMD_ACK,0,0,0,0,0);    
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
 	LED_D_OFF();
 }
 // Read card traceability data (page 1)
 void T55xxReadTrace(void){
 	uint32_t i = 0;
 	uint8_t *dest = BigBuf_get_addr();
 	uint16_t bufferlength = BigBuf_max_traceLen();
 	if ( bufferlength > T55xx_SAMPLES_SIZE )
 		bufferlength= T55xx_SAMPLES_SIZE;
 	// Clear destination buffer before sending the command
 	memset(dest, 0x80, bufferlength);
 	LFSetupFPGAForADC(0, true);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	SpinDelayUs(START_GAP);
-	// Opcode
+	// Opcode 11
 	T55xxWriteBit(1);
 	T55xxWriteBit(1); //Page 1
 	// Turn field on to read the response
-	TurnReadLFOn();
+	TurnReadLFOn(START_GAP);
-	// Now do the acquisition
+	// Acquisition
-	for(;;) {
+	doT55x7Acquisition();
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
 			AT91C_BASE_SSC->SSC_THR = 0x43;
 			LED_D_ON();
 		}
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
 			dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
 			i++;
 			LED_D_OFF();
 			if (i >= bufferlength) break;
 		}
 	}
 	// field off
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	cmd_send(CMD_ACK,0,0,0,0,0);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
 	LED_D_OFF();
 }
 /*-------------- Cloning routines -----------*/
 // Copy HID id to card and setup block 0 config
 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT)
--- a/armsrc/lfsampling.c
+++ b/armsrc/lfsampling.c
@ -245,7 +245,60 @@ uint32_t SampleLF(bool printCfg)
 * @return number of bits sampled
 **/
-uint32_t SnoopLF()
+uint32_t SnoopLF() {
 {
 	return ReadLF(false, true);
 }
 /**
 * acquisition of T55x7 LF signal. Similart to other LF, but adjusted with @marshmellows thresholds
 * the data is collected in BigBuf.
 **/
 void doT55x7Acquisition(void){
 	#define T55xx_SAMPLES_SIZE 12000 // 32 x 32 x 10  (32 bit times numofblock (7), times clock skip..)
 	#define T55xx_READ_UPPER_THRESHOLD 128+40  // 50
 	#define T55xx_READ_TOL   5
 	//#define T55xx_READ_LOWER_THRESHOLD 128-40  //-50
 	uint8_t *dest = BigBuf_get_addr();
 	uint16_t bufsize = BigBuf_max_traceLen();
 	if ( bufsize > T55xx_SAMPLES_SIZE )
 		bufsize = T55xx_SAMPLES_SIZE;
 	memset(dest, 0, bufsize);
 	uint16_t i = 0;
 	bool startFound = false;
 	bool highFound = false;
 	uint8_t curSample = 0;
 	uint8_t firstSample = 0;
 	for(;;) {
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
 			AT91C_BASE_SSC->SSC_THR = 0x43;
 			LED_D_ON();
 		}
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
 			curSample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
 			// find first high sample
 			if (!startFound && curSample > T55xx_READ_UPPER_THRESHOLD) {
 				if (curSample > firstSample) 
 					firstSample = curSample;
 				highFound = true;
 			} else if (!highFound) {
 				continue;
 			}
 			// skip until samples begin to change
 			if (startFound || curSample < firstSample-T55xx_READ_TOL){
 				if (!startFound) 
 					dest[i++] = firstSample;
 				startFound = true;
 				dest[i++] = curSample;
 			LED_D_OFF();
 			if (i >= bufsize) break;
 			}
 		}
 	}
 }
--- a/armsrc/lfsampling.h
+++ b/armsrc/lfsampling.h
@ -1,6 +1,12 @@
 #ifndef LFSAMPLING_H
 #define LFSAMPLING_H
 /**
 * acquisition of T55x7 LF signal. Similart to other LF, but adjusted with @marshmellows thresholds
 * the data is collected in BigBuf.
 **/
 void doT55x7Acquisition(void);
 /**
 * Initializes the FPGA for reader-mode (field on), and acquires the samples.
 * @return number of bits sampled
--- a/armsrc/pcf7931.c
+++ b/armsrc/pcf7931.c
@ -1,4 +1,8 @@
 #include "proxmark3.h"
 #include "apps.h"
 #include "lfsampling.h"
 #include "pcf7931.h"
 #include "string.h"
 #define T0_PCF 8 //period for the pcf7931 in us
 #define ALLOC 16
--- a/armsrc/pcf7931.h
+++ b/armsrc/pcf7931.h
@ -1,8 +1,14 @@
 #ifndef __PCF7931_H
 #define __PCF7931_H
-#include "proxmark3.h"
+int DemodPCF7931(uint8_t **outBlocks);
-#include "apps.h"
+int IsBlock0PCF7931(uint8_t *Block);
-#include "lfsampling.h"
+int IsBlock1PCF7931(uint8_t *Block);
 void ReadPCF7931();
 void SendCmdPCF7931(uint32_t * tab);
 bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p);
 bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p);
 bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab);
 void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data);
 #endif
--- a/client/cmdlfpcf7931.c
+++ b/client/cmdlfpcf7931.c
@ -66,7 +66,7 @@ int usage_pcf7931_write(){
 	PrintAndLog("Options:");
 	PrintAndLog("       h 			   This help");
 	PrintAndLog("       blockaddress   Block to save [0-7]");
-	PrintAndLog("       byteaddress    Index of byte inside block to write [0-3]");
+	PrintAndLog("       byteaddress    Index of byte inside block to write [0-16]");
 	PrintAndLog("       data           one byte of data (hex)");
 	PrintAndLog("Examples:");
 	PrintAndLog("      lf pcf7931 write 2 1 FF");
@ -136,7 +136,7 @@ int CmdLFPCF7931Write(const char *Cmd){
 	if ( param_getdec(Cmd, 0, &block) ) return usage_pcf7931_write();
 	if ( param_getdec(Cmd, 1, &bytepos) ) return usage_pcf7931_write();
-	if ( (block > 7) || (bytepos > 3) ) return usage_pcf7931_write();
+	if ( (block > 7) || (bytepos > 16) ) return usage_pcf7931_write();
 	data 	= param_get8ex(Cmd, 2, 0, 16);
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@ -267,8 +267,8 @@ bool DecodeT55xxBlock(){
 	DemodBufferLen = 0x00;
 	//trim 1/2 a clock from beginning
-	snprintf(cmdStr, sizeof(buf),"%d", bitRate[config.bitrate]/2 );
+	//snprintf(cmdStr, sizeof(buf),"%d", bitRate[config.bitrate]/2 );
-	CmdLtrim(cmdStr);
+	//CmdLtrim(cmdStr);
 	switch( config.modulation ){
 		case DEMOD_FSK:
 			snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted );
@ -330,7 +330,7 @@ int CmdT55xxDetect(const char *Cmd){
 // detect configuration?
 bool tryDetectModulation(){
-	char cmdStr[8] = {0};
+	//char cmdStr[8] = {0};
 	uint8_t hits = 0;
 	t55xx_conf_block_t tests[15];
 	int bitRate=0;
@ -338,8 +338,8 @@ bool tryDetectModulation(){
 	save_restoreGB(1);
 	if (GetFskClock("", FALSE, FALSE)){ 
 		fskClocks(&fc1, &fc2, &clk, FALSE);
-		sprintf(cmdStr,"%d", clk/2);
+		//sprintf(cmdStr,"%d", clk/2);
-		CmdLtrim(cmdStr);
+		//CmdLtrim(cmdStr);
 		if ( FSKrawDemod("0 0", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate)){
 			tests[hits].modulation = DEMOD_FSK;
 			if (fc1==8 && fc2 == 5)
@ -365,10 +365,9 @@ bool tryDetectModulation(){
 		}
 	} else {
 		clk = GetAskClock("", FALSE, FALSE);
 		if (clk>0) {
-			sprintf(cmdStr,"%d", clk/2);
+			//sprintf(cmdStr,"%d", clk/2);
-			CmdLtrim(cmdStr);
+			//CmdLtrim(cmdStr);
 			if ( ASKDemod("0 0 0", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate)) {
 				tests[hits].modulation = DEMOD_ASK;
 				tests[hits].bitrate = bitRate;
@ -402,8 +401,8 @@ bool tryDetectModulation(){
 		save_restoreGB(0);
 		clk = GetNrzClock("", FALSE, FALSE);
 		if (clk>0) {
-			sprintf(cmdStr,"%d", clk/2);
+			//sprintf(cmdStr,"%d", clk/2);
-			CmdLtrim(cmdStr);
+			//CmdLtrim(cmdStr);
 			if ( NRZrawDemod("0 0 1", FALSE)  && test(DEMOD_NRZ, &tests[hits].offset, &bitRate)) {
 				tests[hits].modulation = DEMOD_NRZ;
 				tests[hits].bitrate = bitRate;
@ -425,9 +424,9 @@ bool tryDetectModulation(){
 		save_restoreGB(0);
 		clk = GetPskClock("", FALSE, FALSE);
 		if (clk>0) {
-			PrintAndLog("clk %d",clk);
+			//PrintAndLog("clk %d",clk);
-			sprintf(cmdStr,"%d", clk/2);
+			//sprintf(cmdStr,"%d", clk/2);
-			CmdLtrim(cmdStr);	
+			//CmdLtrim(cmdStr);	
 			if ( PSKDemod("0 0 1", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate)) {
 				tests[hits].modulation = DEMOD_PSK1;
 				tests[hits].bitrate = bitRate;
@ -665,7 +664,7 @@ int CmdT55xxWriteBlock(const char *Cmd)
 	if (block > 7) {
 		PrintAndLog("Block number must be between 0 and 7");
-		return 2;
+		return 1;
 	}
 	UsbCommand resp;
--- a/common/lfdemod.c
+++ b/common/lfdemod.c
@ -369,7 +369,9 @@ size_t fsk_wave_demod(uint8_t * dest, size_t size, uint8_t fchigh, uint8_t fclow
 	if (fclow==0) fclow=8;
 	//set the threshold close to 0 (graph) or 128 std to avoid static
 	uint8_t threshold_value = 123; 
-
+	size_t preLastSample = 0;
 	size_t LastSample = 0;
 	size_t currSample = 0;
 	// sync to first lo-hi transition, and threshold
 	// Need to threshold first sample
@ -389,13 +391,22 @@ size_t fsk_wave_demod(uint8_t * dest, size_t size, uint8_t fchigh, uint8_t fclow
 		// Check for 0->1 transition
 		if (dest[idx-1] < dest[idx]) { // 0 -> 1 transition
-			if ((idx-last_transition)<(fclow-2)){            //0-5 = garbage noise
+			preLastSample = LastSample;
 			LastSample = currSample;
 			currSample = idx-last_transition;
 			if (currSample < (fclow-2)){            //0-5 = garbage noise
 				//do nothing with extra garbage
-			} else if ((idx-last_transition) < (fchigh-1)) { //6-8 = 8 waves
+			} else if (currSample < (fchigh-1)) { //6-8 = 8 sample waves
 				if (LastSample > (fchigh-2) && preLastSample < (fchigh-1)){
 					dest[numBits-1]=1;  //correct last 9 wave surrounded by 8 waves
 				}
 				dest[numBits++]=1;
-			} else if ((idx-last_transition) > (fchigh+1) && !numBits) { //12 + and first bit = garbage 
+
 			} else if (currSample > (fchigh+1) && !numBits) { //12 + and first bit = garbage 
 				//do nothing with beginning garbage
-			} else {                                         //9+ = 10 waves
+			} else if (currSample == (fclow+1) && LastSample == (fclow-1)) { // had a 7 then a 9 should be two 8's
 				dest[numBits++]=1;
 			} else {                                         //9+ = 10 sample waves
 				dest[numBits++]=0;
 			}
 			last_transition = idx;
@ -580,7 +591,7 @@ int IOdemodFSK(uint8_t *dest, size_t size)
 // by marshmellow
 // takes a array of binary values, start position, length of bits per parity (includes parity bit),
-//   Parity Type (1 for odd; 0 for even; 2 for just drop it), and binary Length (length to run) 
+//   Parity Type (1 for odd; 0 for even; 2 Always 1's), and binary Length (length to run) 
 size_t removeParity(uint8_t *BitStream, size_t startIdx, uint8_t pLen, uint8_t pType, size_t bLen)
 {
 	uint32_t parityWd = 0;
@ -590,10 +601,12 @@ size_t removeParity(uint8_t *BitStream, size_t startIdx, uint8_t pLen, uint8_t p
 			parityWd = (parityWd << 1) | BitStream[startIdx+word+bit];
 			BitStream[j++] = (BitStream[startIdx+word+bit]);
 		}
-		j--;
+		j--; // overwrite parity with next data
 		// if parity fails then return 0
-		if (pType != 2) {
+		if (pType == 2) { // then marker bit which should be a 1
-		if (parityTest(parityWd, pLen, pType) == 0) return -1;
+			if (!BitStream[j]) return 0;
 		} else {
 			if (parityTest(parityWd, pLen, pType) == 0) return 0;			
 		}
 		bitCnt+=(pLen-1);
 		parityWd = 0;