rfid / avrfid2.c

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
/** \file
 * AVR RFID card.
 *
 * Based on avrfrid.S by Beth at Scanlime.
 * http://scanlime.org/2008/09/using-an-avr-as-an-rfid-tag/
 *
 * Normal C code doesn't really work here since we are limited to
 * very small number of cycles per bit.  The HID Prox cards are
 * FSK modulated with only four or five RF cycles per baseband cycle.
 * Since the AVR RCALL and RET instructions take four clocks each
 * we would miss all of our timing constaints if we tried to make those calls.
 *
 * However, the IJMP only takes 2 clock cycles, so we can build a state
 * machine and use it to make "function calls".  LPM also takes three
 * clocks, so we can't load a full address and jump to it within the
 * timing constraint, but we can split these operations across the
 * ten 5-cycle transitions during sending a baseband 1. 
 *
 * Each of these transitions takes 2 cycles for the XOR and OUT to
 * set the state, which leaves three cycles for our work.
 *
 */
#include <avr/io.h>
#include <avr/pgmspace.h>
#include <avr/sfr_defs.h>

static void manchester_0(void);
static void manchester_1(void);
static void hid_header(void);
static void hid_reset(void);
//int main(void);

#define HID_MFG_CODE        0x01002  // Do not modify
#define HID_SITE_CODE       42
#define HID_UNIQUE_ID       23946     // May be written on the back of the card

#define HID_HEADER "2"
#define HID_RESET "3"

static const char hid_bits[]
PROGMEM __attribute__((__used__)) = {
/*
	HID_HEADER
	"0000"
	"0001"
	"0000"
	"0000"
	"0010" // HID Manufacturer code
	"00101010" // Site code 42
	"01011101"
	"10001010" // ID 23946
	"0" // parity
*/

	HID_HEADER
	"0000"
	"0001"
	"0000"
	"0000"
	"0010" // HID Manufacturer code
	"00000000" // fc-12
	"00001100"
	"0011100000100011"
	"0"
	HID_RESET
};

typedef void (*state_function)(void);

static const state_function state_handlers[]
PROGMEM __attribute__((__used__)) = {
	manchester_0,
	manchester_1,
	hid_header,
	hid_reset,
};


#if 0
// HID manufacturer code (20 bits) == 0x01002
_0, _0, _0, _0,
_0, _0, _0, _1, _0, _0, _0, _0,
_0, _0, _0, _0, _0, _0, _1, _0,

// Facility code (8 bits) == 42
_0, _0, _1, _0, _1, _0, _1, _0,

// ID (16 bits) == 23946
_0, _1, _0, _1, _1, _1, _0, _1,
_1, _0, _0, _0, _1, _0, _1, _0,

// Parity
_0,

// And return to the header when we're done
hid_header
};
#endif


/** Use r16 and r17 to track the state of the pins.
 *
 * These are hard coded in toggle_raw().
 */
volatile register uint8_t r16 __asm__("r16"); 
volatile register uint8_t r17 __asm__("r17"); 

/** r15 tracks which bit are we currently sending.
 *
 * This is hard coded in hid_header().
 */
volatile register uint8_t bit_num __asm__("r15"); 



/** Jump to what ever has been stored into Z (r31:r30)
 *
 * PC <- Z
 * 2 clocks
 */
static inline void
__attribute__((__noreturn__))
ijmp(void)
{
	__asm__ __volatile__("ijmp");
	while(1); // make gcc happy
}


/**
 * Delay a specific number of clock cycles.
 *
 * rjmp is 2 clocks, nop is 1.
 *
 * So do one nop if the delay is an odd value and then rjmp's for n/2
 * to maximize code density.  Doesn't matter for the state machine version,
 * but otherwise the straight-code version would overflow the 8 KB space.
 */
static inline void
__attribute__((__always_inline__))
delay(
	const uint8_t n
)
{
	switch (n/2)
	{
	case 8: asm("rjmp .+0");
	case 7: asm("rjmp .+0");
	case 6: asm("rjmp .+0");
	case 5: asm("rjmp .+0");
	case 4: asm("rjmp .+0");
	case 3: asm("rjmp .+0");
	case 2: asm("rjmp .+0");
	case 1: asm("rjmp .+0");
	case 0: break;
	}

	if (n % 2 == 1)
		asm("nop");
}


/** Toggle the output pins to change the coil state.
 *
 * The DDRB pins are used to short the coil, which causes
 * an increase in current draw at the reader.
 *
 * 2 clocks.
 */
asm(
	".macro toggle\n"
	"eor r16, r17\n"
	"out 0x17, r16\n" // _SFR_IO_ADDR(DDRB)
	".endm\n"
);


static void
__attribute__((__always_inline__))
toggle_raw(void)
{
	__asm__ __volatile__("toggle");
}


/** Toggle the state of the output pins and delay for some clocks.
 *
 * The toggle_raw() takes 2 clocks, so we delay for the remainder.
 */
static void
__attribute__((__always_inline__))
toggle(	
	const uint8_t n
)
{
	toggle_raw();

	if (n > 2)
		delay(n-2);
}

#define ZERO_FREQ	4
#define ONE_FREQ	5


/** Send a 0 at the baseband layer.
 *
 * If delay_slot is set, the delays after the last FSK slot will not be
 * done, instead allowing the caller to make use of three extra clock
 * cycles for their own usage.
 */
static void
__attribute__((__always_inline__))
baseband_0(
	uint8_t delay_slot
)
{
	toggle(ZERO_FREQ); // 4
	toggle(ZERO_FREQ); // 8
	toggle(ZERO_FREQ); // 12
	toggle(ZERO_FREQ); // 16
	toggle(ZERO_FREQ); // 20
	toggle(ZERO_FREQ); // 24
	toggle(ZERO_FREQ); // 28
	toggle(ZERO_FREQ); // 32
	toggle(ZERO_FREQ); // 36
	toggle(ZERO_FREQ); // 40
	toggle(ZERO_FREQ); // 44
	toggle(delay_slot ? ZERO_FREQ : 0); // 48
}



/** Send a 1 at the baseband layer.
 *
 * This is only used by the header during setup since it must send
 * several 1 bits in a row.  Only the last one computes the next state.
 * There are no delay slots following this function.
 */
static void
__attribute__((__always_inline__))
baseband_1(void)
{
	toggle(ONE_FREQ); //  5
	toggle(ONE_FREQ); // 10
	toggle(ONE_FREQ); // 15
	toggle(ONE_FREQ); // 20
	toggle(ONE_FREQ); // 25
	toggle(ONE_FREQ); // 30
	toggle(ONE_FREQ); // 35
	toggle(ONE_FREQ); // 40
	toggle(ONE_FREQ); // 45
	toggle(ONE_FREQ); // 50
}


/** Send a 1 at the baseband layer.
 *
 * Interleaved with the FSK are the operations to load the next
 * function pointer.  Once the function "returns", the Z register
 * will contain the address of the next function in the state machine.
 *
 * This was too difficult to write in C and have gcc output the correct
 * stream of instructions.  Instead it is in inline assembly.
 * The rough translation into C:
 *
 *	toggle 5
 *			z = &hid_bits[bit_num];
 *	toggle 10
 *			next_state = lpm(z);
 *	toggle 15
 *			next_state = (next_state - '0') * 2
 *	toggle 20
 *			z = &state_handlers[next_state];
 *	toggle 25
 *			next_func_lo = lpm(z++);
 *	toggle 30
 *			next_func_hi = lpm(z++);
 *	toggle 35
 *			z = next_func_hi << 8 | next_func_lo;
 *	toggle 40
 *			bit_num++;
 *	toggle 45
 *			delay
 *	toggle 50
 *			No delay (leave these free for caller)
 */
static void
__attribute__((__always_inline__))
baseband_1_load(void)
{
	__asm__ __volatile__(
		"toggle /* 5 */\n"
					"ldi r30, lo8(hid_bits)\n"
					"ldi r31, hi8(hid_bits)\n"
					"add r30, %0\n"
		"toggle /* 10 */\n"
					"lpm r24, Z\n"
		"toggle /* 15 */\n"
					"ldi r30, lo8(state_handlers)\n"
					"ldi r31, hi8(state_handlers)\n"
					"nop\n"
		"toggle /* 20 */\n"
					"subi r24, '0'\n"
					"lsl r24\n"
					"add r30, r24\n"
		"toggle /* 25 */\n"
					"lpm r24, Z+\n"
		"toggle /* 30 */\n"
					"lpm r31, Z\n"
		"toggle /* 35 */\n"
					"mov r30, r24\n"
					"rjmp .+0\n"
		"toggle /* 40 */\n"
					"inc %0\n"
					"rjmp .+0\n"
		"toggle /* 45 */\n"
					"nop\n"
					"rjmp .+0\n"
		"toggle /* 50 */\n"
					"/* Leave slot free */\n"
		: "=r" (bit_num) // 0
	);
}


/** Send the HID header start bits.
 *
 * The HID header is an illegal state in the Manchester encoding
 * used to indicate the start of the packet.
 *
 * The last baseband 1 will load the first state machine function
 * pointer and jump into the statemachine.
 */
static void
hid_header(void)
{

	baseband_0(1);
	baseband_0(1);
	baseband_0(1);
	baseband_1();
	baseband_1();
	baseband_1_load();
				delay(1);
				ijmp();
}



/** Output a manchester 0.
 *
 * Output a baseband 0, followed by a baseband 1.
 * During the baseband 1 the Z register will be updated
 * to contain the pointer to the next function in the state machine.
 *
 * After the 1, with one delay slot since ijmp() takes two clocks,
 * we jump to the next state.
 */
static void
manchester_0(void)
{
	baseband_0(1);
	baseband_1_load();
				delay(1);
				ijmp();
}


/** Output a manchester 1.
 *
 * Output a baseband 1, followed by a baseband 0.
 * During the baseband 1 the Z register will be updated
 * to contain the pointer to the next function in the state machine.
 *
 * After the 0, with no delay slots since ijmp() takes two clocks,
 * we jump to the next state.
 */
static void
manchester_1(void)
{
	baseband_1_load();
				delay(3); // 3 delays slots remain
	baseband_0(0);
				ijmp();
}


/** Restart the state machine at state 0.
 *
 * This must be the last state in the machine and is the first one
 * called from main to kick things off.
 */
static void
hid_reset(void)
{
	// We will start in state 0, so the next to read is 1
	// gcc keeps optimizign writes to r15 out for some reason
	__asm__ __volatile__(
		"eor %0, %0\n"
		"inc %0\n"
		: "=r"(bit_num)
	);

	__asm__ __volatile__("rjmp hid_header");
}


/** Entry point at 0x0.
 *
 * Since we linking with -nostdlib, main needs to be at 0x0.
 * The easiest way to force that with the default linker script
 * is to put it in the .vectors text section.
 */
int
__attribute__((section(".vectors")))
main(void)
{
	r16 = 0;
	r17 = _BV(PINB3) | _BV(PINB4);

	hid_reset();

	/* Never returns */
}
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.