Proxmark3 community

iceman

Administrator

Registered: 2013-04-25

Posts: 9,507

Website

LF FPGA

// Definitions for the FPGA commands.
#define FPGA_CMD_SET_DIVISOR					(2<<12)
#define FPGA_CMD_SET_USER_BYTE1					(3<<12)

// Definitions for the FPGA configuration word.
#define FPGA_MAJOR_MODE_LF_ADC					(0<<5)
#define FPGA_MAJOR_MODE_LF_EDGE_DETECT				(1<<5)
#define FPGA_MAJOR_MODE_LF_PASSTHRU				(2<<5)

// Options for LF_ADC
#define FPGA_LF_ADC_READER_FIELD				(1<<0)

// Options for LF_EDGE_DETECT
#define FPGA_CMD_SET_EDGE_DETECT_THRESHOLD			FPGA_CMD_SET_USER_BYTE1
#define FPGA_LF_EDGE_DETECT_READER_FIELD 			(1<<0)
#define FPGA_LF_EDGE_DETECT_TOGGLE_MODE				(1<<1)

From HITAG source code we get the following implementations of SIM/READER/SNIFF

SIMULATION

// load LF fpga image into FPGA.  This erases BigBuf
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);

// Set up simulator mode
// major mode: edge_detect
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);

// frequency divisor which will drive the FPGA
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz

// analog mux selection.
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);

.... do you simulation stuff here

FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);

READER

// load LF fpga image into FPGA.  This erases BigBuf
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);

// Set up READER mode
// major mode: edge_detect
// minor mode: edge_detect_reader_field
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);

// frequency divisor which will drive the FPGA.  This sample sets 125Khz
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); 

// analog mux selection.
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);

.... do you LF reader stuff here

FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);

SNIFF / SNOOP

// load LF fpga image into FPGA.  This erases BigBuf
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);

// Set up eavesdropping mode
// major mode: Edge_detect
// minor mode: toggle_mode   --> iZsh mod?
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT  | FPGA_LF_EDGE_DETECT_TOGGLE_MODE);

// frequency divisor which will drive the FPGA.  This sample sets 125Khz
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); 

// analog mux selection.
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);

.... do you LF SNIFF/SNOOP stuff here
... usually you need a clock/timer,  array to save collected data,  logtrace?

FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);

From LFOPS code we have the following below. Why doesn't HITAG use major mode ADC when acting reader? 
READER:

// load LF fpga image into FPGA.  This erases BigBuf
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);

// major mode: ADC
// minor mode: ADC_READER_FIELD 
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);

// frequency divisor which will drive the FPGA.  This sample sets 125Khz
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); 

// analog mux selection.
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);

.... do you LF reader stuff here

FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);

so what does all the rest of the options do?..

these two seems to be related to EDGE_DETECT and give a manual threshold for the detection. There is no sample in source code.
is they obselete after iZsh's folding edge algo?

FpgaSendCommand(FPGA_CMD_SET_USER_BYTE1,  128 ); 
FpgaSendCommand( FPGA_CMD_SET_EDGE_DETECT_THRESHOLD, 0);

The elusive PASSTHRU

--from lfops.c readtitag (texas instrument)
// Place FPGA in passthrough mode, in this mode the CROSS_LO line
// connects to SSP_DIN and the SSP_DOUT logic level controls
// whether we're modulating the antenna (high)
// or listening to the antenna (low)
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);


Also found in pcf7931.c  SendCmdPCF7931 
in here its more of ON/HIGH  modulating antenna
OFF/LOW stop modulating antenna.

There is no listening done in this code.

Some more questions;

Is the FPGA_MAJOR_MODE_LF_PASSTHRU mode good for SIM? 
Since both FPGA_MAJOR_MODE_LF_EDGE_DETECT and FPGA_MAJOR_MODE_LF_PASSTHRU  is found in source code relating to SIM.
Which is best to use for SIM purposes?


The READER battle:
(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD) vs (FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD)
Which is best to use for READER purposes?


When is the best time to use FPGA_MAJOR_MODE_LF_PASSTHRU ?

Tiberius

Contributor

Registered: 2017-01-12

Posts: 33

Re: LF FPGA

Hi,

Thanks for the compilation, this is very helpful. I am currently dual-wielding two proxmarks and try to figure out, which sim routines are the best.
I will post my results, if I get any.

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: LF FPGA

further questions:

lo_edge_detect.v assigns the following pins:

// No logic, straight through.
assign pwr_oe1 = 1'b0; 						// not used in LF mode 
assign pwr_oe3 = 1'b0; 						// base antenna load = 33 Ohms
// when modulating, add another 33 Ohms and 10k Ohms in parallel:
assign pwr_oe2 = tag_modulation;
assign pwr_oe4 = tag_modulation; 

assign ssp_clk = cross_lo;
assign pwr_lo = reader_modulation;
assign pwr_hi = 1'b0;

and indicates pwr_oe1 is not used for LF  (and it does not use pwr_oe3 either, or leaves it Powered?)

lo_passthru.v assigned the following pins:

assign pwr_oe3 = 1'b0;
assign pwr_oe1 = ssp_dout;
assign pwr_oe2 = ssp_dout;
assign pwr_oe4 = ssp_dout;
assign pwr_lo = pck_divclk && ssp_dout;
assign pwr_hi = 1'b0;
assign adc_clk = 1'b0;
assign ssp_din = cross_lo;
assign dbg = cross_lo;

leaving out pwr_oe3(or leaves it Powered?) but modulating pwr_oe1

why? 

i would guess pwr_oe1 doesn't do anything on LF so modulating it or not doesn't matter if it is on or off?

now some of how i read the code (i'm not an expert on the hardware or code... so take these thoughts accordingly...)
lf passthru is good for 2 way communication bit banging and likely works just as well for sim as lf edge detect.
(though lf edge detect appears to work just as well for this if you want to use the lf edge detect read mode)

lf edge detect has some special code around reading and filtering frames of waves (edge & peak detection used) and can be used to demodulate some waveforms realtime if you were to monitor ssp_frame.  (though there is limited use of this code)

lf adc mode appears to be mainly for just taking and passing tag/snoop samples to the arm.  some form of bit banging can be simulated by turning the antenna on and off, but this turns off the entire antenna meaning sim is impossible.  I think...