implement 'hf iclass snoop -j'

* fix long option --jam * make room for one more bit for FPGA minor mode * new mode FPGA_HF_READER_MODE_SEND_JAM * implement jamming in Handle15693SampleFromReader
2025-07-16 02:03:00 -07:00 · 2019-11-13 16:42:29 +01:00 · 2019-11-13 16:42:29 +01:00 · cd028159be
commit cd028159be
parent be09ea8603
13 changed files with 116 additions and 68 deletions
--- a/armsrc/fpgaloader.c
+++ b/armsrc/fpgaloader.c
@ -115,8 +115,7 @@ void SetupSpi(int mode)
 // Set up the synchronous serial port with the set of options that fits
 // the FPGA mode. Both RX and TX are always enabled.
 //-----------------------------------------------------------------------------
-void FpgaSetupSsc(uint8_t FPGA_mode)
+void FpgaSetupSsc(uint16_t FPGA_mode) {
 {
 	// First configure the GPIOs, and get ourselves a clock.
 	AT91C_BASE_PIOA->PIO_ASR =
 		GPIO_SSC_FRAME	|
@ -136,7 +135,7 @@ void FpgaSetupSsc(uint8_t FPGA_mode)
 	// 8, 16 or 32 bits per transfer, no loopback, MSB first, 1 transfer per sync
 	// pulse, no output sync
-	if ((FPGA_mode & 0xe0) == FPGA_MAJOR_MODE_HF_READER && FpgaGetCurrent() == FPGA_BITSTREAM_HF) {
+	if ((FPGA_mode & 0x1c0) == FPGA_MAJOR_MODE_HF_READER && FpgaGetCurrent() == FPGA_BITSTREAM_HF) {
 		AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
 	} else {
 		AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
@ -450,10 +449,9 @@ void FpgaDownloadAndGo(int bitstream_version)
 // The bit format is:  C3 C2 C1 C0 D11 D10 D9 D8 D7 D6 D5 D4 D3 D2 D1 D0
 // where C is the 4 bit command and D is the 12 bit data
 //-----------------------------------------------------------------------------
-void FpgaSendCommand(uint16_t cmd, uint16_t v)
+void FpgaSendCommand(uint16_t cmd, uint16_t v) {
 {
 	SetupSpi(SPI_FPGA_MODE);
-	while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0);		// wait for the transfer to complete
+	while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0);	// wait for the transfer to complete
 	AT91C_BASE_SPI->SPI_TDR = AT91C_SPI_LASTXFER | cmd | v;		// send the data
 }
@ -462,21 +460,18 @@ void FpgaSendCommand(uint16_t cmd, uint16_t v)
 // vs. clone vs. etc.). This is now a special case of FpgaSendCommand() to
 // avoid changing this function's occurence everywhere in the source code.
 //-----------------------------------------------------------------------------
-void FpgaWriteConfWord(uint16_t v)
+void FpgaWriteConfWord(uint16_t v) {
 {
 	FpgaSendCommand(FPGA_CMD_SET_CONFREG, v);
 }
 //-----------------------------------------------------------------------------
 // enable/disable FPGA internal tracing
 //-----------------------------------------------------------------------------
-void FpgaEnableTracing(void)
+void FpgaEnableTracing(void) {
 {
 	FpgaSendCommand(FPGA_CMD_TRACE_ENABLE, 1);
 }
-void FpgaDisableTracing(void)
+void FpgaDisableTracing(void) {
 {
 	FpgaSendCommand(FPGA_CMD_TRACE_ENABLE, 0);
 }
--- a/armsrc/fpgaloader.h
+++ b/armsrc/fpgaloader.h
@ -19,7 +19,7 @@
 void FpgaSendCommand(uint16_t cmd, uint16_t v);
 void FpgaWriteConfWord(uint16_t v);
 void FpgaDownloadAndGo(int bitstream_version);
-void FpgaSetupSsc(uint8_t mode);
+void FpgaSetupSsc(uint16_t mode);
 void SetupSpi(int mode);
 bool FpgaSetupSscDma(uint8_t *buf, uint16_t sample_count);
 void Fpga_print_status();
@ -45,17 +45,17 @@ void SetAdcMuxFor(uint32_t whichGpio);
 // Definitions for the FPGA configuration word.
 // LF
-#define FPGA_MAJOR_MODE_LF_ADC                      (0<<5)
+#define FPGA_MAJOR_MODE_LF_ADC                      (0<<6)
-#define FPGA_MAJOR_MODE_LF_EDGE_DETECT              (1<<5)
+#define FPGA_MAJOR_MODE_LF_EDGE_DETECT              (1<<6)
-#define FPGA_MAJOR_MODE_LF_PASSTHRU                 (2<<5)
+#define FPGA_MAJOR_MODE_LF_PASSTHRU                 (2<<6)
 // HF
-#define FPGA_MAJOR_MODE_HF_READER                   (0<<5)
+#define FPGA_MAJOR_MODE_HF_READER                   (0<<6)
-#define FPGA_MAJOR_MODE_HF_SIMULATOR                (1<<5)
+#define FPGA_MAJOR_MODE_HF_SIMULATOR                (1<<6)
-#define FPGA_MAJOR_MODE_HF_ISO14443A                (2<<5)
+#define FPGA_MAJOR_MODE_HF_ISO14443A                (2<<6)
-#define FPGA_MAJOR_MODE_HF_SNOOP                    (3<<5)
+#define FPGA_MAJOR_MODE_HF_SNOOP                    (3<<6)
-#define FPGA_MAJOR_MODE_HF_GET_TRACE                (4<<5)
+#define FPGA_MAJOR_MODE_HF_GET_TRACE                (4<<6)
 // BOTH
-#define FPGA_MAJOR_MODE_OFF                         (7<<5)
+#define FPGA_MAJOR_MODE_OFF                         (7<<6)
 // Options for LF_ADC
 #define FPGA_LF_ADC_READER_FIELD                    (1<<0)
@ -74,10 +74,11 @@ void SetAdcMuxFor(uint32_t whichGpio);
 #define FPGA_HF_READER_MODE_SNOOP_IQ                (5<<0)
 #define FPGA_HF_READER_MODE_SNOOP_AMPLITUDE         (6<<0)
 #define FPGA_HF_READER_MODE_SNOOP_PHASE             (7<<0)
 #define FPGA_HF_READER_MODE_SEND_JAM                (8<<0)
-#define FPGA_HF_READER_SUBCARRIER_848_KHZ           (0<<3)
+#define FPGA_HF_READER_SUBCARRIER_848_KHZ           (0<<4)
-#define FPGA_HF_READER_SUBCARRIER_424_KHZ           (1<<3)
+#define FPGA_HF_READER_SUBCARRIER_424_KHZ           (1<<4)
-#define FPGA_HF_READER_SUBCARRIER_212_KHZ           (2<<3)
+#define FPGA_HF_READER_SUBCARRIER_212_KHZ           (2<<4)
 // Options for the HF simulated tag, how to modulate
 #define FPGA_HF_SIMULATOR_NO_MODULATION             (0<<0)
--- a/armsrc/iso15693.c
+++ b/armsrc/iso15693.c
@ -84,7 +84,7 @@ static int DEBUG = 0;
 ///////////////////////////////////////////////////////////////////////
 // buffers
-#define ISO15693_DMA_BUFFER_SIZE        128 // must be a power of 2
+#define ISO15693_DMA_BUFFER_SIZE        256 // must be a power of 2
 #define ISO15693_MAX_RESPONSE_LENGTH     36 // allows read single block with the maximum block size of 256bits. Read multiple blocks not supported yet
 #define ISO15693_MAX_COMMAND_LENGTH      45 // allows write single block with the maximum block size of 256bits. Write multiple blocks not supported yet
@ -341,11 +341,6 @@ void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time,
 }
 static void jam(void) {
 	// send a short burst to jam the reader signal
 }
 //=============================================================================
 // An ISO 15693 decoder for tag responses (one subcarrier only).
 // Uses cross correlation to identify each bit and EOF.
@ -392,7 +387,7 @@ typedef struct DecodeTag {
 } DecodeTag_t;
-static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint16_t amplitude, DecodeTag_t *restrict DecodeTag) {
+static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint16_t amplitude, DecodeTag_t *DecodeTag) {
 	switch (DecodeTag->state) {
 		case STATE_TAG_SOF_LOW:
 			// waiting for a rising edge
@ -745,7 +740,8 @@ typedef struct DecodeReader {
 		STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF,
 		STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4,
 		STATE_READER_RECEIVE_DATA_1_OUT_OF_4,
-		STATE_READER_RECEIVE_DATA_1_OUT_OF_256
+		STATE_READER_RECEIVE_DATA_1_OUT_OF_256,
 		STATE_READER_RECEIVE_JAMMING
 	}           state;
 	enum {
 		CODING_1_OUT_OF_4,
@ -781,7 +777,7 @@ static void DecodeReaderReset(DecodeReader_t* DecodeReader) {
 }
-static int inline __attribute__((always_inline)) Handle15693SampleFromReader(bool bit, DecodeReader_t *restrict DecodeReader) {
+static int inline __attribute__((always_inline)) Handle15693SampleFromReader(bool bit, DecodeReader_t *DecodeReader) {
 	switch (DecodeReader->state) {
 		case STATE_READER_UNSYNCD:
 			// wait for unmodulated carrier
@ -920,12 +916,6 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(boo
 				}
 				if (DecodeReader->bitCount == 15) { // we have a full byte
 					DecodeReader->output[DecodeReader->byteCount++] = DecodeReader->shiftReg;
 					if (DecodeReader->byteCount == DecodeReader->jam_search_len) {
 						if (!memcmp(DecodeReader->output, DecodeReader->jam_search_string, DecodeReader->jam_search_len)) {
 							jam(); // send a jamming signal
 							Dbprintf("JAMMING!");
 						}
 					}
 					if (DecodeReader->byteCount > DecodeReader->byteCountMax) {
 						// buffer overflow, give up
 						LED_B_OFF();
@ -933,6 +923,13 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(boo
 					}
 					DecodeReader->bitCount = 0;
 					DecodeReader->shiftReg = 0;
 					if (DecodeReader->byteCount == DecodeReader->jam_search_len) {
 						if (!memcmp(DecodeReader->output, DecodeReader->jam_search_string, DecodeReader->jam_search_len)) {
 							LED_D_ON();
 							FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_JAM);
 							DecodeReader->state = STATE_READER_RECEIVE_JAMMING;
 						}
 					}
 				} else {
 					DecodeReader->bitCount++;
 				}
@ -968,11 +965,42 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(boo
 						LED_B_OFF();
 						DecodeReaderReset(DecodeReader);
 					}
 					if (DecodeReader->byteCount == DecodeReader->jam_search_len) {
 						if (!memcmp(DecodeReader->output, DecodeReader->jam_search_string, DecodeReader->jam_search_len)) {
 							LED_D_ON();
 							FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_JAM);
 							DecodeReader->state = STATE_READER_RECEIVE_JAMMING;
 						}
 					}
 				}
 				DecodeReader->bitCount++;
 			}
 			break;
 		case STATE_READER_RECEIVE_JAMMING:
 			DecodeReader->posCount++;
 			if (DecodeReader->Coding == CODING_1_OUT_OF_4) {
 				if (DecodeReader->posCount == 7*16) { // 7 bits jammed
 					FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SNOOP_AMPLITUDE); // stop jamming
 					// FpgaDisableTracing();
 					LED_D_OFF();
 				} else if (DecodeReader->posCount == 8*16) {
 					DecodeReader->posCount = 0;
 					DecodeReader->output[DecodeReader->byteCount++] = 0x00;
 					DecodeReader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_4;
 				}
 			} else {
 				if (DecodeReader->posCount == 7*256) { // 7 bits jammend
 					FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SNOOP_AMPLITUDE); // stop jamming
 					LED_D_OFF();
 				} else if (DecodeReader->posCount == 8*256) {
 					DecodeReader->posCount = 0;
 					DecodeReader->output[DecodeReader->byteCount++] = 0x00;
 					DecodeReader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_256;
 				}
 			}
 			break;
 		default:
 			LED_B_OFF();
 			DecodeReaderReset(DecodeReader);
@ -1212,7 +1240,7 @@ void SnoopIso15693(uint8_t jam_search_len, uint8_t *jam_search_string) {
 		if (upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) {                   // we have read all of the DMA buffer content.
 			upTo = dmaBuf;                                                 // start reading the circular buffer from the beginning
 			if (behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) {
-				FpgaDisableTracing();
+				// FpgaDisableTracing();
 				Dbprintf("About to blow circular buffer - aborted! behindBy=%d, samples=%d", behindBy, samples);
 				break;
 			}
@ -1305,8 +1333,6 @@ void SnoopIso15693(uint8_t jam_search_len, uint8_t *jam_search_string) {
 	FpgaDisableSscDma();
 	LEDsoff();
 	DbpString("Snoop statistics:");
 	Dbprintf("  ExpectTagAnswer: %d, TagIsActive: %d, ReaderIsActive: %d", ExpectTagAnswer, TagIsActive, ReaderIsActive);
 	Dbprintf("  DecodeTag State: %d", DecodeTag.state);
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
@ -180,7 +180,7 @@ static int CmdHFiClassSnoop(const char *Cmd) {
 	CLIParserInit("hf iclass snoop", "\nSnoop a communication between an iClass Reader and an iClass Tag.", NULL);
 	void* argtable[] = {
 		arg_param_begin,
-		arg_lit0("j",  "--jam",    "Jam (prevent) e-purse Updates"),
+		arg_lit0("j",  "jam",    "Jam (prevent) e-purse Updates"),
 		arg_param_end
 	};
 	if (CLIParserParseString(Cmd, argtable, arg_getsize(argtable), true)){
--- a/common/iso15693tools.c
+++ b/common/iso15693tools.c
@ -9,9 +9,8 @@
 #include "iso15693tools.h"
-#include "proxmark3.h"
+#include <stddef.h>
 #include <stdint.h>
 #include <stdlib.h>
 #ifdef ON_DEVICE
 #include "printf.h"
 #else
@ -90,7 +89,7 @@ uint16_t iclass_crc16(char *data_p, unsigned short length) {
 	crc = ~crc;
 	data = crc;
 	crc = (crc << 8) | (data >> 8 & 0xff);
-	crc = crc ^ 0xBC3;
+	crc = crc ^ 0x0BC3;
 	return (crc);
 }
--- a/common/iso15693tools.h
+++ b/common/iso15693tools.h
@ -4,9 +4,10 @@
 #ifndef ISO15693TOOLS_H__
 #define ISO15693TOOLS_H__
 #include <stdint.h>
 // ISO15693 CRC
 #define ISO15693_CRC_CHECK   ((uint16_t)(~0xF0B8 & 0xFFFF))  // use this for checking of a correct crc
 uint16_t Iso15693Crc(uint8_t *v, int n);
 int Iso15693AddCrc(uint8_t *req, int n);
 char* Iso15693sprintUID(char *target, uint8_t *uid);
--- a/fpga/fpga_hf.bit
+++ b/fpga/fpga_hf.bit
--- a/fpga/fpga_hf.v
+++ b/fpga/fpga_hf.v
@ -13,8 +13,14 @@
 // iZsh <izsh at fail0verflow.com>, June 2014
 //-----------------------------------------------------------------------------
-// Defining modes and options. This must be aligned to the definitions in fpgaloader.h
+
 // Defining commands, modes and options. This must be aligned to the definitions in fpgaloader.h
 // Note: the definitions here are without shifts
 // Commands:
 `define FPGA_CMD_SET_CONFREG                        1
 `define FPGA_CMD_TRACE_ENABLE                       2
 // Major modes:
 `define FPGA_MAJOR_MODE_LF_ADC                      0
 `define FPGA_MAJOR_MODE_LF_EDGE_DETECT              1
@ -35,6 +41,7 @@
 `define FPGA_HF_READER_MODE_SNIFF_IQ                5
 `define FPGA_HF_READER_MODE_SNIFF_AMPLITUDE         6
 `define FPGA_HF_READER_MODE_SNIFF_PHASE             7
 `define FPGA_HF_READER_MODE_SEND_JAM                8
 `define FPGA_HF_READER_SUBCARRIER_848_KHZ           0
 `define FPGA_HF_READER_SUBCARRIER_424_KHZ           1
 `define FPGA_HF_READER_SUBCARRIER_212_KHZ           2
@ -79,7 +86,7 @@ module fpga_hf(
 //-----------------------------------------------------------------------------
 reg [15:0] shift_reg;
-reg [7:0] conf_word;
+reg [8:0] conf_word;
 reg trace_enable;
 // We switch modes between transmitting to the 13.56 MHz tag and receiving
@ -88,8 +95,8 @@ reg trace_enable;
 always @(posedge ncs)
 begin
 	case(shift_reg[15:12])
-		4'b0001: conf_word <= shift_reg[7:0];       // FPGA_CMD_SET_CONFREG
+		`FPGA_CMD_SET_CONFREG:  conf_word <= shift_reg[8:0];
-		4'b0010: trace_enable <= shift_reg[0];      // FPGA_CMD_TRACE_ENABLE
+		`FPGA_CMD_TRACE_ENABLE: trace_enable <= shift_reg[0];
 	endcase
 end
@ -103,11 +110,11 @@ begin
 end
 // select module (outputs) based on major mode
-wire [2:0] major_mode = conf_word[7:5];
+wire [2:0] major_mode = conf_word[8:6];
 // configuring the HF reader
-wire [1:0] subcarrier_frequency = conf_word[4:3];
+wire [1:0] subcarrier_frequency = conf_word[5:4];
-wire [2:0] minor_mode = conf_word[2:0];
+wire [3:0] minor_mode = conf_word[3:0];
 //-----------------------------------------------------------------------------
 // And then we instantiate the modules corresponding to each of the FPGA's
--- a/fpga/fpga_lf.bit
+++ b/fpga/fpga_lf.bit
--- a/fpga/fpga_lf.v
+++ b/fpga/fpga_lf.v
@ -29,17 +29,18 @@ module fpga_lf(
 reg [15:0] shift_reg;
 reg [7:0] divisor;
-reg [7:0] conf_word;
+reg [8:0] conf_word;
 reg [7:0] user_byte1;
 always @(posedge ncs)
 begin
-	case(shift_reg[15:12])
+	case (shift_reg[15:12])
-		4'b0001:
+		4'b0001:                                    // FPGA_CMD_SET_CONFREG
 			begin
-				conf_word <= shift_reg[7:0];
+				conf_word <= shift_reg[8:0];
-				if (shift_reg[7:0] == 8'b00000001) begin // LF edge detect
+				if (shift_reg[8:0] == 9'b000000001) 
-					user_byte1 <= 127; // default threshold
+				begin                               // LF edge detect
 					user_byte1 <= 127;              // default threshold
 				end
 			end
 		4'b0010: divisor <= shift_reg[7:0];			// FPGA_CMD_SET_DIVISOR
@ -49,14 +50,14 @@ end
 always @(posedge spck)
 begin
-	if(~ncs)
+	if (~ncs)
 	begin
 		shift_reg[15:1] <= shift_reg[14:0];
 		shift_reg[0] <= mosi;
 	end
 end
-wire [2:0] major_mode = conf_word[7:5];
+wire [2:0] major_mode = conf_word[8:6];
 // For the low-frequency configuration:
 wire lf_field = conf_word[0];
--- a/fpga/hi_iso14443a.v
+++ b/fpga/hi_iso14443a.v
@ -18,7 +18,7 @@ module hi_iso14443a(
    input ssp_dout;
    output ssp_frame, ssp_din, ssp_clk;
    output dbg;
-    input [2:0] mod_type;
+    input [3:0] mod_type;
 wire adc_clk = ck_1356meg;
--- a/fpga/hi_reader.v
+++ b/fpga/hi_reader.v
@ -19,7 +19,7 @@ module hi_reader(
    output ssp_frame, ssp_din, ssp_clk;
    output dbg;
    input [1:0] subcarrier_frequency;
-	input [2:0] minor_mode;
+	input [3:0] minor_mode;
 assign adc_clk = ck_1356meg;  // sample frequency is 13,56 MHz
@ -257,6 +257,19 @@ end
 assign ssp_din = corr_i_out[7];
 // a jamming signal
 reg jam_signal;
 reg [3:0] jam_counter;
 always @(negedge adc_clk)
 begin
 	if (corr_i_cnt == 6'd0)
 	begin
 		jam_counter <= jam_counter + 1;
 		jam_signal <= jam_counter[1] ^ jam_counter[3];
 	end
 end
 // Antenna drivers
 reg pwr_hi, pwr_oe4;
@ -272,10 +285,15 @@ begin
        pwr_hi  = ck_1356meg & ~ssp_dout;
        pwr_oe4 = 1'b0;
    end
    else if (minor_mode == `FPGA_HF_READER_MODE_SEND_JAM)
 	begin
        pwr_hi  = ck_1356meg & jam_signal;
        pwr_oe4 = 1'b0;
 	end
 	else if (minor_mode == `FPGA_HF_READER_MODE_SNIFF_IQ        
 		  || minor_mode == `FPGA_HF_READER_MODE_SNIFF_AMPLITUDE
 		  || minor_mode == `FPGA_HF_READER_MODE_SNIFF_PHASE)
-	begin
+	begin // all off
 		pwr_hi  = 1'b0;
 		pwr_oe4 = 1'b0;
 	end
@ -284,7 +302,7 @@ begin
 		pwr_hi  = ck_1356meg;
 		pwr_oe4 = 1'b0;
 	end
-end
+end 
 // always on
 assign pwr_oe1 = 1'b0;
--- a/fpga/hi_simulate.v
+++ b/fpga/hi_simulate.v
@ -31,7 +31,7 @@ module hi_simulate(
    input ssp_dout;
    output ssp_frame, ssp_din, ssp_clk;
    output dbg;
-    input [2:0] mod_type;
+    input [3:0] mod_type;
 assign adc_clk = ck_1356meg;