1 //-----------------------------------------------------------------------------
2 // ISO14443-A support for the Proxmark III
3 // Gerhard de Koning Gans, April 2008
4 //-----------------------------------------------------------------------------
7 pck0
, ck_1356meg
, ck_1356megb
,
8 pwr_lo
, pwr_hi
, pwr_oe1
, pwr_oe2
, pwr_oe3
, pwr_oe4
,
10 ssp_frame
, ssp_din
, ssp_dout
, ssp_clk
,
15 input pck0
, ck_1356meg
, ck_1356megb
;
16 output pwr_lo
, pwr_hi
, pwr_oe1
, pwr_oe2
, pwr_oe3
, pwr_oe4
;
20 output ssp_frame
, ssp_din
, ssp_clk
;
21 input cross_hi
, cross_lo
;
29 always @(posedge ck_1356meg
)
33 assign adc_clk
= ck_1356meg
;
35 reg after_hysteresis
, after_hysteresis_prev1
, after_hysteresis_prev2
, after_hysteresis_prev3
;
36 reg [11:0] has_been_low_for
;
37 reg [8:0] saw_deep_modulation
;
38 reg [2:0] deep_counter
;
40 always @(negedge adc_clk
)
42 if(& adc_d
[7:6]) after_hysteresis
<= 1'b1;
43 else if(~(| adc_d
[7:4])) after_hysteresis
<= 1'b0;
47 if(deep_counter
== 3'd7)
49 deep_modulation
<= 1'b1;
50 saw_deep_modulation
<= 8'd0;
53 deep_counter
<= deep_counter
+ 1;
58 if(saw_deep_modulation
== 8'd255)
59 deep_modulation
<= 1'b0;
61 saw_deep_modulation
<= saw_deep_modulation
+ 1;
66 has_been_low_for
<= 7'b0;
70 if(has_been_low_for
== 12'd4095)
72 has_been_low_for
<= 12'd0;
73 after_hysteresis
<= 1'b1;
76 has_been_low_for
<= has_been_low_for
+ 1;
80 // Report every 4 subcarrier cycles
81 // 64 periods of carrier frequency => 6-bit counter [negedge_cnt]
82 reg [5:0] negedge_cnt
;
85 reg [3:0] count_zeros
;
88 reg signed
[12:0] step1
;
89 reg signed
[12:0] step2
;
93 wire signed
[9:0] dif
;
95 // A register to send the results to the arm
96 reg signed
[7:0] to_arm
;
98 assign avg
[7:0] = average
[11:4];
99 assign dif
= lavg
- avg
;
102 reg fdt_indicator
, fdt_elapsed
;
103 reg [10:0] fdt_counter
;
104 reg [47:0] mod_sig_buf
;
105 wire mod_sig_buf_empty
;
106 reg [5:0] mod_sig_ptr
;
107 reg [3:0] mod_sig_flip
;
108 reg mod_sig
, mod_sig_coil
;
109 reg temp_buffer_reset
;
112 assign mod_sig_buf_empty
= ~(|mod_sig_buf
[47:0]);
113 reg [2:0] ssp_frame_counter
;
115 // ADC data appears on the rising edge, so sample it on the falling edge
116 always @(negedge adc_clk
)
119 // last bit = 0 then fdt = 1172, in case of 0x26 (7-bit command, LSB first!)
120 // last bit = 1 then fdt = 1236, in case of 0x52 (7-bit command, LSB first!)
121 if(fdt_counter
== 11'd740) fdt_indicator
= 1'b1;
123 if(fdt_counter
== 11'd1148)
127 if(negedge_cnt
[3:0] == mod_sig_flip
[3:0]) mod_sig_coil
<= mod_sig
;
131 mod_sig_flip
[3:0] <= negedge_cnt
[3:0];
132 mod_sig_coil
<= mod_sig
;
134 fdt_indicator
= 1'b0;
136 if(~(| mod_sig_ptr
[5:0])) mod_sig_ptr
<= 6'b001001;
137 else temp_buffer_reset
= 1'b1; // fix position of the buffer pointer
142 fdt_counter
<= fdt_counter
+ 1;
145 if(& negedge_cnt
[3:0])
147 // When there is a dip in the signal and not in reader mode
148 if(~after_hysteresis
&& mod_sig_buf_empty
&& ~((mod_type
== 3'b100) ||
(mod_type
== 3'b011) ||
(mod_type
== 3'b010))) // last condition to prevent reset
150 fdt_counter
<= 11'd0;
152 fdt_indicator
= 1'b0;
153 temp_buffer_reset
= 1'b0;
154 mod_sig_ptr
<= 6'b000000;
159 if(stepsize
<16) stepsize
= 8'd16;
164 step2
= stepsize
*2; // 3:2
186 if(& count_ones
[3:2])
188 curbit
= 1'b0; // suppressed signal
189 stepsize
= 8'd24; // just a fine number
193 count_ones
<= count_ones
+ 1;
199 if(& count_zeros
[3:0])
205 count_zeros
<= count_zeros
+ 1;
209 // What do we communicate to the ARM
210 if(mod_type
== 3'b001) sendbit
= after_hysteresis
;
211 else if(mod_type
== 3'b010)
213 if(fdt_counter
> 11'd772) sendbit
= mod_sig_coil
;
214 else sendbit
= fdt_indicator
;
216 else if(mod_type
== 3'b011) sendbit
= curbit
;
221 if(~(| negedge_cnt
[3:0])) average
<= adc_d
;
222 else average
<= average
+ adc_d
;
224 if(negedge_cnt
== 7'd63)
228 to_arm
<= {after_hysteresis_prev1
,after_hysteresis_prev2
,after_hysteresis_prev3
,after_hysteresis
,1'b0,1'b0,1'b0,1'b0};
232 to_arm
<= {after_hysteresis_prev1
,after_hysteresis_prev2
,after_hysteresis_prev3
,after_hysteresis
,bit1
,bit2
,bit3
,curbit
};
240 negedge_cnt
<= negedge_cnt
+ 1;
243 if(negedge_cnt
== 6'd15)
245 after_hysteresis_prev1
<= after_hysteresis
;
248 if(negedge_cnt
== 6'd31)
250 after_hysteresis_prev2
<= after_hysteresis
;
253 if(negedge_cnt
== 6'd47)
255 after_hysteresis_prev3
<= after_hysteresis
;
260 if(mod_type
!= 3'b000)
262 if(negedge_cnt
[3:0] == 4'b1000)
264 // The modulation signal of the tag
265 mod_sig_buf
[47:0] <= {mod_sig_buf
[46:1], ssp_dout
, 1'b0};
266 if((ssp_dout ||
(| mod_sig_ptr
[5:0])) && ~fdt_elapsed
)
267 if(mod_sig_ptr
== 6'b101110)
269 mod_sig_ptr
<= 6'b000000;
271 else mod_sig_ptr
<= mod_sig_ptr
+ 1;
272 else if(fdt_elapsed
&& ~temp_buffer_reset
)
274 if(ssp_dout
) temp_buffer_reset
= 1'b1;
275 if(mod_sig_ptr
== 6'b000010) mod_sig_ptr
<= 6'b001001;
276 else mod_sig_ptr
<= mod_sig_ptr
- 1;
280 // side effect: when ptr = 1 it will cancel the first 1 of every block of ones
281 if(~mod_sig_buf
[mod_sig_ptr
-1] && ~mod_sig_buf
[mod_sig_ptr
+1]) mod_sig
= 1'b0;
282 else mod_sig
= mod_sig_buf
[mod_sig_ptr
] & fdt_elapsed
; // & fdt_elapsed was for direct relay to oe4
287 // SSP Clock and data
288 if(mod_type
== 3'b000)
290 if(negedge_cnt
[2:0] == 3'b100)
293 if(negedge_cnt
[2:0] == 3'b000)
296 // Don't shift if we just loaded new data, obviously.
297 if(negedge_cnt
!= 7'd0)
299 to_arm
[7:1] <= to_arm
[6:0];
303 if(negedge_cnt
[5:4] == 2'b00)
308 bit_to_arm
= to_arm
[7];
312 if(negedge_cnt
[3:0] == 4'b1000) ssp_clk
<= 1'b0;
314 if(negedge_cnt
[3:0] == 4'b0111)
316 if(ssp_frame_counter
== 3'd7) ssp_frame_counter
<= 3'd0;
317 else ssp_frame_counter
<= ssp_frame_counter
+ 1;
320 if(negedge_cnt
[3:0] == 4'b0000)
325 ssp_frame
= (ssp_frame_counter
== 3'd7);
327 bit_to_arm
= sendbit
;
332 assign ssp_din
= bit_to_arm
;
334 // Modulating carrier frequency is fc/16
335 wire modulating_carrier
;
336 assign modulating_carrier
= (mod_sig_coil
& negedge_cnt
[3] & (mod_type
== 3'b010));
337 assign pwr_hi
= (ck_1356megb
& (((mod_type
== 3'b100) & ~mod_sig_coil
) ||
(mod_type
== 3'b011)));
339 // This one is all LF, so doesn't matter
340 //assign pwr_oe2 = modulating_carrier;
341 assign pwr_oe2
= 1'b0;
343 // Toggle only one of these, since we are already producing much deeper
344 // modulation than a real tag would.
345 //assign pwr_oe1 = modulating_carrier;
346 assign pwr_oe1
= 1'b0;
347 assign pwr_oe4
= modulating_carrier
;
348 //assign pwr_oe4 = 1'b0;
350 // This one is always on, so that we can watch the carrier.
351 //assign pwr_oe3 = modulating_carrier;
352 assign pwr_oe3
= 1'b0;
355 assign dbg
= negedge_cnt
[3];
358 assign pwr_lo
= 1'b0;