Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-07-20 16:15:51

Dake
Contributor
Registered: 2015-06-16
Posts: 32

Precision of the modulation

Hello !

I am trying to program functions to can write on PCF7931 tag (used by coffee tags for example) ! I have finished to program some functions.

Pattern of PCF7931 protocol needs a very good precision. For example, the pattern of a 0 is defined by a antenna modulation of 272us, then a no modulation of 48us and a modulation of 704us.The problem is I measure, with my oscilloscope, a dynamic error of 16us. The SpinDelayUs() function is only precise at 16 us ? Or is my code that isn't optimized ?

Here is a screen for writing a bit 0, you can see the time error between the time the antenna cuts off modulation and when she sould cuts off modulation (on full cursor yellow) :
1437404237_20150720_154241.jpg

The code of my function WritePCF7931bit is here :

[== C++ ==]
#define T0_PCF 8

void WritePCF7931bit(uint8_t b){
	if (b==0) {//bit 0, cycle de 123*T0_PCF
		// modulate antenna
		HIGH(GPIO_SSC_DOUT);
		SpinDelayUs(34*T0_PCF);
		// stop modulating antenna
		LOW(GPIO_SSC_DOUT);
		SpinDelayUs(6*T0_PCF);
		// modulate antenna
		HIGH(GPIO_SSC_DOUT);
		SpinDelayUs(88*T0_PCF);
	} else {//bit 1, cycle de 123*T0_PCF
		// modulate antenna
		HIGH(GPIO_SSC_DOUT);
		SpinDelayUs(98*T0_PCF);
		// stop modulating antenna
		LOW(GPIO_SSC_DOUT);
		SpinDelayUs(6*T0_PCF);
		// modulate antenna
		HIGH(GPIO_SSC_DOUT);
		SpinDelayUs(24*T0_PCF);
	}
	
}

And the general function WritePCF7931  (in progress) is here :

[== C++ ==]
void WritePCF7931(uint8_t adress_block, uint8_t b adress_byte, uint8_t data)
{
	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);

	Dbprintf("Writing to tag");

	// PCF tags charge at 125Khz
	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
	// Place FPGA in passthrough mode, in this mode the CROSS_LO line
	// connects to SSP_DIN and the SSP_DOUT logic level controls
	// whether we're modulating the antenna (high)
	// or listening to the antenna (low)
	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
	LED_A_ON();

	// steal this pin from the SSP and use it to control the modulation
	AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
	AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;

	WritePCF7931bit(0); //to test
	
	LED_A_OFF();

	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
}

Last edited by Dake (2015-07-28 16:25:17)

Offline

#2 2015-07-20 17:41:22

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Precision of the modulation

See the comment in util.c: precision is 21,3us.

You may use StartCountUS and GetCountUS. This has a resolution of 1,5us.

Offline

#3 2015-07-21 09:19:31

Dake
Contributor
Registered: 2015-06-16
Posts: 32

Re: Precision of the modulation

Thank piwi ! Sorry I had not seen this precision, so I used StartCountUS and GetCountUS, it is perfect.

I forgot to ask, as you can see on my screen, there is a "slew rate" (transition time) between HIGH and LOW level,  maybe this will not be a problem but do you know if is it possible to reduce this time ?

Last edited by Dake (2015-07-21 09:23:45)

Offline

#4 2015-07-21 11:49:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Precision of the modulation

@izsh,  has done some change to the fpga (lf) code to deal with this issue,  however he hasn't gotten around to merge it.

Offline

#5 2015-07-22 11:08:24

Dake
Contributor
Registered: 2015-06-16
Posts: 32

Re: Precision of the modulation

Great ! I wish Izsh could merge it soon

Offline

#6 2015-07-22 11:25:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Precision of the modulation

Don't count on it.  He seems to be a quite busy person and he was reluctant of merging it.

Offline

#7 2015-07-22 11:42:21

Dake
Contributor
Registered: 2015-06-16
Posts: 32

Re: Precision of the modulation

Ok, do we know origin of this slew rate ? Maybe an optimization problem of Verilog ?

Offline

#8 2015-07-22 12:21:22

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Precision of the modulation

I think it is the LC circuit which continues oscillating even after the driving signal is off (0V, i.e. connected to gnd). Maybe this can be prevented by disabling the output drivers (FPGA change) but I would be afraid of high voltage peaks resulting from that.

Offline

#9 2015-07-23 08:55:09

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Precision of the modulation

While looking at the clocks setup I am wondering if GetCountUS() is giving correct times at all? Can you measure approx. 272us now? Or is it still shorter (something like 251us)?

Offline

#10 2015-07-23 13:56:05

Dake
Contributor
Registered: 2015-06-16
Posts: 32

Re: Precision of the modulation

GetCountUS() is better than SpinDelayUs(). Yes I can measure approx. 272us now. However as there is a slew rate I can't say if is it precise at 1.5us or 4us.

What can be the result of high voltage peaks ? To disable antenna drivers, do I change the file lo_passthru.v ?
There is :

[== C++ ==]
// the antenna is modulated when ssp_dout = 1, when 0 the
// antenna drivers stop modulating and go into listen mode
assign pwr_oe3 = 1'b0;
assign pwr_oe1 = ssp_dout;
assign pwr_oe2 = ssp_dout;
assign pwr_oe4 = ssp_dout;
assign pwr_lo = pck_divclk && ssp_dout;
assign pwr_hi = 1'b0;
assign adc_clk = 1'b0;
assign ssp_din = cross_lo;
assign dbg = cross_lo;

Offline

#11 2015-07-27 13:55:40

Dake
Contributor
Registered: 2015-06-16
Posts: 32

Re: Precision of the modulation

Does anyone know meaning of pwr_oeX, pwr_lo and pwr_hi ? I think this controls antenna modulation but I do not know more.

Last edited by Dake (2015-07-27 13:57:40)

Offline

#12 2015-07-27 18:19:16

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Precision of the modulation

These signals are connected to the antenna drivers. See the PM3 schema. You can find it in the doc folder.

Please note that the OE (output enable) signals are inverted, i.e. low is enabled, high is disabled (high impedance).

Offline

#13 2015-07-28 16:23:42

Dake
Contributor
Registered: 2015-06-16
Posts: 32

Re: Precision of the modulation

Thank piwi !

Actually, one LF driver is disabled (pwr_oe3) and the other driver is enabled half the time : when antenna must not modulating (ssp_dout at 0). I did not understand the running.

As Iceman proposed it,  I have tested to put pwr_oe3 and pwr_oe2 at 1'b0 (high level)  to disable LF drivers, unfortunately I did not see improvements on the slew rate.

Offline

#14 2015-07-28 17:37:34

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Precision of the modulation

To disable the drivers you need to set the signal to 1'b1 (not 1'b0). And please note that there are three OE signals for each HF and LF (some of the drivers are shared).

Last edited by piwi (2015-07-28 17:39:25)

Offline

#15 2015-07-29 09:56:55

Dake
Contributor
Registered: 2015-06-16
Posts: 32

Re: Precision of the modulation

Ok thank piwi, I tried to disable the three LF drivers putting PWR_OE3,  PWR_OE2,  PWR_OE4 to 1'b1, but the slew rate does not reduce, also the signal seems more instable.

Here we can see the slew rate of 90 us :
583936slewrate.jpg

It seems that the LC circuit continue to resonate after modulation. Maybe a solution could be to impose a GND at the LC circuit during no modulation phases.

Last edited by Dake (2015-07-29 09:58:53)

Offline

#16 2015-08-05 14:47:48

Dake
Contributor
Registered: 2015-06-16
Posts: 32

Re: Precision of the modulation

By measuring at the output of the proxmark there is no slew rate (it was the cause of the antenna)

So now I can measure with high precision my signals  and I noted an error of time with StartCountUS() and GetCountUS() of 10-15us :
15063720150805141617.jpg

The low level take 36us inftead of 24us. My code is :

[== C++ ==]
	StartCountUS();	
	//PMC
	LOW(GPIO_SSC_DOUT);
	time = GetCountUS();
	while((GetCountUS() - time) < (3*T0_PCF)){}
	HIGH(GPIO_SSC_DOUT);
	time = GetCountUS();
	while((GetCountUS() - time) < (29*T0_PCF)){}

By increasing the time of no modulation, the error is proportionally small compared to the order. For a command of no modulation of 240 us I obtain 252 us.

Someone would have an idea to have a better precision ? My  utilization of theses functions (GetCountUs() and StartCountUS() ) is optimized ? I thought to do an offset but it is not clean.

Last edited by Dake (2015-08-05 14:49:52)

Offline

#17 2015-08-05 16:01:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Precision of the modulation

How does your optimized version look like?

Offline

#18 2015-08-05 17:39:49

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Precision of the modulation

Dake wrote:

By measuring at the output of the proxmark there is no slew rate (it was the cause of the antenna)

No surprise. The antenna is the 'L' oft the oscillating LC circuit.

Dake wrote:

So now I can measure with high precision my signals  and I noted an error of time with StartCountUS() and GetCountUS() of 10-15us

First, you should check the specs how the 'no modulation' phase is measured. Is it really from falling edge to rising edge?
Second, there is an unnecessarily high rounding error with GetCountUS(). This should improve by changing

((AT91C_BASE_TC0->TC_CV / 15) * 10)

to

((AT91C_BASE_TC0->TC_CV * 2) / 3)

in util.c

Offline

Board footer

Powered by FluxBB