From ea1423e7c9aa7da9e1017d71d8887a0b736db81e Mon Sep 17 00:00:00 2001 From: laforge Date: Mon, 16 Oct 2006 16:37:59 +0000 Subject: add some bits and pieces of documentation git-svn-id: https://svn.openpcd.org:2342/trunk@272 6dc7ffe9-61d6-0310-9af1-9938baff3ed1 --- doc/common-hardware.xml | 0 doc/common-hostsoftware.xml | 44 +++++++ doc/common-targetsoftware.xml | 17 +++ doc/common-usbproto.xml | 190 +++++++++++++++++++++++++++++ doc/openpcd.xml | 172 ++++++++++++++++++++++++++ doc/openpicc.xml | 275 ++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 698 insertions(+) create mode 100644 doc/common-hardware.xml create mode 100644 doc/common-hostsoftware.xml create mode 100644 doc/common-targetsoftware.xml create mode 100644 doc/common-usbproto.xml create mode 100644 doc/openpcd.xml create mode 100644 doc/openpicc.xml diff --git a/doc/common-hardware.xml b/doc/common-hardware.xml new file mode 100644 index 0000000..e69de29 diff --git a/doc/common-hostsoftware.xml b/doc/common-hostsoftware.xml new file mode 100644 index 0000000..e35a598 --- /dev/null +++ b/doc/common-hostsoftware.xml @@ -0,0 +1,44 @@ +
Device Firmware Upgrade
+ +Since the device firmware is Free Software licensed under GNU GPL, +we encourage and enable users to enhance and adapt the firmware according to +their needs. In order to really benefit from this freedom, we have embedded +an easy mechanism to update the device firmware without any special tools / +adapters / cables / programmers or the like. + + +The OpenPICC implements the USB Device Firmware Upgrade speficication, +as released by the USB Association. Using this protocol, it is possible to +update the device firmware via special-purpose USB control requests. + + +A software implementation of the USB DFU host side was already available for +Linux under the name of "dfu-programmer". However, this program did not +implement the true standard, but some vendor-specific dialect of it. +Therefore, dfu-programmer has been enhanced to have full native support +for standard DFU. + + + +
Emergency Firmware Flash
+ +The AT91SAM7 microcontroller used in the device contains a USB flash loader +(called SAM-BA) in read-only memory. By setting a jumper on the PCB and +powering up the device for 20 seconds, this loader can be copied into the +first 8kb of flash memory, overwriting the existing content. + + +So if the DFU loader has become inoperable, e.g. because of bugs in +experimental DFU modifications, SAM-BA can be employed to rescue the system. + + +Apart from proprietary Windows software by Atmel, there's the Free Software +sam7utils project which provides a host program called 'sam7' to interface +with SAM-BA and facilitate a full-flash rewrite with DFU and the device firmware. + + +For more information on the flash procedure, we refer to the AT91SAM7 product +documentation, as well as the sam7utils documentation. + + + diff --git a/doc/common-targetsoftware.xml b/doc/common-targetsoftware.xml new file mode 100644 index 0000000..6e328ee --- /dev/null +++ b/doc/common-targetsoftware.xml @@ -0,0 +1,17 @@ +
+Target Software + +The software doesn't use any operating system. Everything is implemented from +scratch. Some of the API's (e.g. timer API) are modelled after the +corresponding Linux kernel API's. However, this does not imply that any of the +actual implementation is shared. The reason for matching the Linux API's is +merely because they are well-understood and there's lots of example code using +them. + + +The SAM7 firmware is compiled using GNU GCC 4.0.2 for ARM. It uses GNU Make for +processing the Makefiles. All development of the system happened on Linux, +therefore your milage of compiling it on Windows might vary, but should +theoretically work. + + diff --git a/doc/common-usbproto.xml b/doc/common-usbproto.xml new file mode 100644 index 0000000..3b8b894 --- /dev/null +++ b/doc/common-usbproto.xml @@ -0,0 +1,190 @@ +
+USB Protocol + +The USB protocol is completely non-standard. Since OpenPICC is a very +special-purpose device, it's obvious that no standard USB protocol will be +applicable. However, our vendor-specific protocol is completely open and +documented to allow for development of interoperable applications. + + +
+USB Endpoints + +Since the SAM7 hardware only provides four USB endpoints, we have to use them +according to their endpoint type, rather than to their function within the +protocol. We have to overload and (de)multiplex within one endpoint quite a +bit. + + +EP0 - Control Endpoint +EP1 - Bulk Out endpoint (host -> device) +EP2 - Bulik In endpoint (device -> host) +EP3 - Interrupt In endpoint (device -> host) + + +The control endpoint behaves according to the USB specification. It only +takes care of usb configuration and management. No application data is +transferred over it. + +
+ +
+USB packets, transfers + +In order to understand this devices' USB prootocol, some basics about any +communication with USB endpoints need to be known. + + +USB endpoints exchange a stream of data by means of USB transfers. Every +transfer is conveyed as multiple transaction. Every transaction transports +multiple USB packets. The Endpoint buffer size of the SAM7 usb device +controller is 64bytes for EP1, EP2 and EP3. Therefore, a single packet can be +up to 64 bytes in size. As soon as a packet smaller than the endpoint size +(64byte) is received, the end of that particular USB transfer is detected. +If the transfer size is an integral size of the endpoint size, a zero-length-packet (ZLP) is sent to explicitly signal the end of the transfer. + + +The buffer management inside the SAM7 firmware can deal with USB transfers of +up to 2048 bytes in size. To optimize memory efficiency, all buffers are +statically pre-allocated, and the majority of USB buffers is only 64bytes in +size. This way, the memory consumption for small transfers (such as register read/write transfers) can be kept low. + + +Large transfers (> 64 bytes, but &let; 2024 bytes) should be used only +when they are absolutely required. + +
+ +
+Host software interaction with USB Endpoints + +Any host software operating the USB device should take into consideration +that memory is a scarce resource on the SAM7, especially for +applications with relatively high speed compared to the USB 1.1 full speed bandwith), such as higher-bitrate 847kHz ISO14443 communication. + + +Therefore it is important to serve device requests on the BULK IN and +INTERRUPT IN endpoints as soon as possible. In most cases, the application +will simply keep those two pipes open all the time, by re-submitting an USB +request block as soon as the previous one at that endpiont has completed. + + +The BULK OUT endpoint will obviously only be filled with requests from the +host software when there are any such requests. + + +On the highest level of the protocol, there are three different classes of device requests: + + +1. uni-directional without high-level acknowledgement, such as a register +write without explicit request for a response. This means that the host +software will only send a single BULK OUT transfer. This transfer is +acknowledged inherently by the USB protocol, and the host software can be sure +that the transfer was correctly received by the device. + + +2. bi-directional with a single response, such as a register read. This means +that the host sends a single BULK OUT transfer, to which the device replies +with a single BULK IN transfer. + + +3. bi-directional with multiple responses. This means that even though the +host only sends a single BULK OUT transfer, there will be multiple BULK IN +transfers in response. + +
+ +
+The usb transfer header + +Application data transferred over EP1, EP2 and EP3 is prefixed with a +four-byte header, 'struct openpcd_hdr'. + + +The first byte is the command byte. The high nibble of the command byte +specifies the command class, whereas the the low nibble selects the particular +command within a given class. + + +The second byte specifies flags. There are currently two flags: + + +The RESPOND flag signifies that the sender of this transfer explicitly +requests a response back from the other side. + + +The ERROR flag signifies that this transfer indicates some error + + +The MULTIPLE flag signifies that this is part of a response that consists of +multiple transfers. + + +The LAST flag signifies that the current transfer is the last transfer +of a multiple-transfer response. + + +The third byte is called 'register' for historical purpose. It should +actually rather be called address or index. Its significance differs +according to the actual command that is being performed. + + +The fourth byte is called 'val' for 'value'. Again, its purpose is command +specific. In case of e.g. a register write, it is the value to be written +into the register. + +
+ +
+The individual USB protocol commands + +
+Generic USB commands: CMD_CLS_GENERIC + +
+CMD_GET_VERSION + +This command is used to obtain the version number of the USB device. This +might be used to differentiate different hardware revisions by the host software. + + +The response to this command contains the version number in the +variable-length 'data' section of the transfer. + +
+ +
+CMD_SET_LED + +Using this command, the host software can control the LED's present in the +OpenPICC. The LED can be specified in the 'reg' section of the header. +Currently there are two LED's, LED 1 (green) and LED 2 (red). The 'val' +header field controls whether the LED should be switched on (1) or off (0). + +
+ +
+CMD_GET_SERIAL + +This command is used to obtain the serial number of the OpenPICC device. +The serial number is returned in the 'data' section of the response transfer. + +
+ +
+ +
+USB Testing commands +
+CMD_USBTEST_IN + + +
+
+CMD_USBTEST_OUT + + +
+
+ + diff --git a/doc/openpcd.xml b/doc/openpcd.xml new file mode 100644 index 0000000..719ba3a --- /dev/null +++ b/doc/openpcd.xml @@ -0,0 +1,172 @@ + + + +
+ + + OpenPCD - A 13.56MHz RFID reader + + + + Harald + Welte + + hwelte@hmw-consulting.de + + + + Milosch + Meriac + + meriac@bitmanufaktur.de + + + + 2006 + Harald Welte <hwelte@hmw-consultin.de> + + Oct 12, 2006 + 1 + + $Revision: 1.0 $ + + + + + This is the reference documentation for the OpenPCD RFID + reader. + + + + + + + +
+Introduction + +The OpenPCD project is about desinging and building both hardware and software +for a user-programmable reader (proximity coupling device, PCD) of the ISO +14443 A+B (and later ISO15693) RFID protocols. + + +The hardware is based on the Atmel AT91SAM7S128 microcontroller, featuring a +48MHz, 32bit ARM7TDMI core with many integrated peripherals, such as USB +device, SSC, ADC, 128kByte Flash, 32kByte SRAM, ... + + +Next to the AT91SAM7, there is the Pilips CL RC 632 RFID reader ASIC. It +is attached via SPI (Serial Peripheral Interface) to the AT91SAM7. + + +The SAM7 attaches to a host PC using a USB 1.1 interface. The SAM7 firmware +implements various forms of interface between the RC632 and the host PC. +There are multiple firmware images available, some of them acting as a dumb +transceiver, while others implement the full ISO 14443 protocol suite inside +the SAM7 firmware. + + +All device firmware and host software source code is released under GNU General +Public License. The hardware design (schematics, PCB) is released under +"Creative Commons share-alike attribution" License. + +
+ +
+Hardware + +FIXME: to be filled by milosch + + + + +
+ + +
+Software + + + +
+PICC specific commands +
+CMD_PICC_REG_WRITE + +Using this command, a given OpenPICC register can be written to. + +
+
+CMD_PICC_REG_READ + +Using this command, a given OpenPICC register can be read. + +
+
+ +
+ADC specific commands +
+ +
+GPIO IRQ commands + +Using these commands, the host software can request a USB interrupt +transfer to be sent once a given GPIO pin changes its level + +
+ +
+
+ + + +
+The main_dumbreader firmware + +The main_dumbreader firmware implements a very basic PCD/VCD firmware, where +the USB device only implements an access layer to the RC632 registers and +FIFO. All protocol and application logic has to be implemented on the host +PC. + + +This provides the greatest flexibility to the host software, since it can +easily alter the behaviour of the device completely. Host development is +easier than cross-compilation and remote debugging required for firmware +development. + + +Therefore, this firmware is the choice for most security researchers, since +all timing and every bit of the protocol can be dealt with on the host. + +
+ +
+The main_librfid firmware + +This firmware is called 'main_librfid' because it contains a full copy of the +librfid library, cross compiled for ARM. The librfid library implements +various 13.56MHz RFID protocols from layer 2 to layer 4 and higher, including +ISO 14443, ISO 15693, Mifare classic, Mifare ultralight and others. + + +The USB protocol of this firmware has not yet been fully speicified, also +there currently is no finished host software that could interface this +firmware yet. Stay tuned for upcoming news on this subject. + + +
+ +
+Host Software + +TBD + + + + +
+ +
+ + diff --git a/doc/openpicc.xml b/doc/openpicc.xml new file mode 100644 index 0000000..c687f48 --- /dev/null +++ b/doc/openpicc.xml @@ -0,0 +1,275 @@ + + + +
+ + + OpenPICC - A ISO 14443 A+B PICC RFID simulator + + + + Harald + Welte + + hwelte@hmw-consulting.de + + + + Milosch + Meriac + + meriac@bitmanufaktur.de + + + + 2006 + Harald Welte <hwelte@hmw-consultin.de> + + Oct 12, 2006 + 1 + + $Revision: 1.0 $ + + + + + This is the reference documentation for the OpenPICC RFID + simulator for ISO 14443. + + + + + + + +
+Introduction + +The OpenPICC project is about desinging and building both hardware and software +for a user-programmable simulator of the PICC (Transponder) side of the ISO +14443 A+B (and later ISO15693) RFID protocols. + + +The hardware is based on the Atmel AT91SAM7S256 microcontroller, featuring a +48MHz, 32bit ARM7TDMI core with many integrated peripherals, such as USB +device, SSC, ADC, 256kByte Flash, 64kByte SRAM, ... + + +The SAM7 attaches to a host PC using a USB 1.1 interface. The SAM7 firmware +implements encoding/decoding, the auxiliary hardware modulation/demodulation. +The host PC therefore transmits and sends raw ISO 14443-3 frames, and +implements higher protocol levels such as ISO 14443-4 or even a Smartcard OS +simulation according to 7816-4. + + +All device firmware and host software source code is released under GNU General +Public License. The hardware design (schematics, PCB) is released under +"Creative Commons share-alike attribution" License. + +
+ +
+Hardware + +FIXME: to be filled by milosch + + + + +
+ + +
+Software + + + +
+PICC specific commands +
+CMD_PICC_REG_WRITE + +Using this command, a given OpenPICC register can be written to. + +
+
+CMD_PICC_REG_READ + +Using this command, a given OpenPICC register can be read. + +
+
+ +
+ADC specific commands +
+ +
+GPIO IRQ commands + +Using these commands, the host software can request a USB interrupt +transfer to be sent once a given GPIO pin changes its level + +
+ +
+
+ + + +
+ +
+The OpenPICC register set + +Most of the behaviour of the OpenPICC simulator can be controlled using the +OpenPICC register set. This is not really a register set that corresponds to +hardware registers. The registers are actually implemented in software, and +act as global variables present in SAM7 RAM, which influence the OpenPICC +firmware operation. + + +This interface was chosen because it is something that software developers +(more specificially: driver developers) are used to. + + +
+OPICC_REG_14443A_UIDLEN + +This register defines the length of the 14443-A UID or 14443-B PUPI. The +length value is specified in bytes. + + +Permitted values for 14443-A are: 4, 7 or 10. + + +Permitted values for 14443-B are: 4. + +
+ +
+OPICC_REG_14443A_FDT0 + +ISO 14443A synchronous frame delay time in case last bit of PCD->PICC frame +was 0. According to the ISO 14443-3 specification, this has to be 1236. + +
+ +
+OPICC_REG_14443A_FDT1 + +ISO 14443-3A synchronous frame delay time in case last bit of PCD->PICC frame +was 1. According to the ISO 14443-3A specification, this has to be 1172. + +
+ +
+OPICC_REG_14443A_ATQA + +The ATQA register contains a template for the 14443-3A ATQA. Only the lowest +five bits (0...4, bit frame anti-collision) and the bits 8..11 are used, the +rest will be masked and or specified by the OpenPICC firmware. + +
+ +
+OPICC_REG_14443A_STATE + +The PICC state according to ISO 14443-3A. Possible values are: +ISO14443A_ST_POWEROFF, ISO14443A_ST_IDLE, ISO14443A_ST_READY, +ISO14443A_ST_ACTIVE, ISO14443A_ST_HALT, ISO14443A_ST_READY2, +ISO14443A_ST_ACTIVE2. + +
+ +
+OPICC_REG_RX_CLK_DIV + +The receive clock divider register. This specifies the relationship +between SSC sample clock and re-generated carrier clock. + + +For ISO14443-A at 106kBp/s, this is usually set to 32 in order to produce +a four-times oversampled signal. Values for higher baudrtes are TBD. + +
+ +
+OPICC_REG_RX_CLK_PHASE + +This register defines the phase of the receive sample clock. Values +are given relative to the rx sample clock synchronization pulse caused +by the first falling edge within the frame. + +
+ +
+OPICC_REG_RX_CONTROL + +The receive control register controls the OpenPICC receive path + +
+ +
+OPICC_REG_TX_CLK_DIV + +The transmit clock divider register determines the sample clock rate of the SSC +transmit path. Since 14443-A and -B use a 847.5kHz subcarrier, the sample +rate will have to be configured to 1.695MHz, and thus a clock divider of 8 +programmed into this register. + +
+ +
+OPICC_REG_TX_CLK_PHASE + +The transmit clock phase register defines the phase relationship between carrier clock and SSC Tx clock. + +
+ +
+OPICC_REG_TX_CONTROL + +The transmit control register is split in two sections: Lower nibble switches between BPSK (1) and MANCHESTER (2), whereas the higher nibble is used to configure the modulation depth (0..3). + +
+ +
+OPICC_REG_RX_COMP_LEVEL + +The demodulated Rx signal is digitized using a comparator. Using this +register, the comparator reference value can be specified. The value is +conveyed as a 7bit value in the range of 0..127. + +
+ +
+OPICC_SREG_14443A_UID + +This string register contains the 14443-3A UID or 14443-3B PUPI. + +
+ +
+ +
+ + + + + + + +
+Host Software + +TBD + + + + +
+ + + + -- cgit v1.2.3