forked from Zero-V4x/Arduino-Aime-Reader-EN
-
Notifications
You must be signed in to change notification settings - Fork 4
/
nfc.txt
244 lines (220 loc) · 5.76 KB
/
nfc.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
N.B. Quoted strings are NOT NUL-terminated unless otherwise noted.
Useful reading: https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf
(AiMe branded cards are Mifare Classic cards. Other technologies exist though)
Summary
-------
Hardware:
Assembly connector:
5V Host in
Tx;Rx;GND Host RS232 in
Tx;Rx;GND Daisy-chain out
Main board (probably LED controller):
Silk "837-15084"
CN1: Host 5V power in, ?V NFC-sub power out
CN2: Host RS232 Tx;Rx;GND in, NFC-sub Tx;Rx out
CN3: LED-Sub power and data(?) out
DIPSW1: Set to hex nibble 8.
Contains ADM3222 RS232 transceiver IC
Contains ATMega32 MCU
NFC subboard:
Sticker: Model "TN32MSEC003S"
CN1: ?V power and Tx;Rx;GND in, Tx;Rx;GND ass'y CN daisy out.
DIPSW1: Set to hex nibble 0.
Contains ATmega168 MCU
Contains ADM3202A RS232 transceiver IC
Contains shielded RF circuit
Entire non-ground-plane PCB area is visible through the chassis
torx screws lol
LED subboard:
Silk: "837-15120"
CN1: ?V power and Tx;Rx;GND in.
Five RGB LEDs and a bunch of resistors
No visible logic ICs..?
No DIPSW.
JVS framing:
E0 sync
D0 escape (+1 to unescape)
Checksum is sum of bytes after unescaping
Frame header:
Frame length (including length byte itself)
Address
Sequence no, hopefully loops before hitting esc byte...
Command byte
Bus addressing:
Low nibble set using DIPSWs
High nibble ???
Daisy chaining mechanism unknown (RS232 wires probably multi-tap)
Startup
-------
Addr 00 Command 62:
Req:
00 Payload length
Resp:
00 Status byte
00 Payload length
Description:
Unknown. Reset?
Addr 00 Command 30:
Req:
00 Payload length
Resp:
00 Status byte
17 Payload length
.. "TN32MSEC003S F/W Ver1.2E"
Description:
Get firmware version
Addr 00 Command 32:
Req:
00 Payload length
Resp:
00 Status byte
17 Payload length
.. "TN32MSEC003S H/W Ver3.0J"
Description:
Get hardware version
Addr 08 Command f5:
Req:
00 Payload length
Resp:
00 Status byte
00 Payload length
Description:
LED sub-board reset.
Won't accept LED commands until you do this.
Addr 08 Command f0:
Req:
00 Payload length
Resp:
00 Status byte
09 Payload length
.. "15084" (part nr for LED board)
FF ??
11 ??
00 ??
12 ??
Description:
Get board "info"
Addr 00 Command 54:
Req:
06 Payload length
57 'W'
43 'C'
43 'C'
46 'F'
76 'v'
32 '2'
Resp:
00 Status byte?
00 ??
Description:
Set Mifare KeyA.
"WCCF" might refer this this SEGA arcade game:
https://en.wikipedia.org/wiki/World_Club_Champion_Football
It's quite old and has AiMe readers, maybe where they first appeared?
Addr 00 Command 50:
Req:
06 Payload length
60 ??
90 ??
D0 ?? (This is escaped of course)
06 ??
32 ??
F5 ??
Resp:
00 Status byte
00 Payload length
Description:
Possibly Mifare KeyB.
Polling
-------
Addr 00 Command 40:
Req:
01 Payload length
03 ??
Resp:
00 Status byte
00 Payload length
Description:
Poll some other NFC technology?
Addr 00 Command 42:
Req:
00 Payload length
Resp if no MiFare card:
00 Status byte
01 Payload length
00 (represents nothing i guess)
Resp if MiFare card:
00 Status byte?
07 Payload length
01 Chunk length?
10 ?? Block size maybe?
04 Chunk length?
.. Mifare UID, four bytes.
Description:
Check for Mifare card presence?
Addr 00 Command 41:
Req:
00 Payload length
Resp:
00 Status byte
00 Payload length
Description:
Unknown. Poll some other NFC technology?
Card read
---------
Addr 00 Command 43:
Req:
04 Payload length
.. Mifare UID, four bytes.
Resp:
00 Status byte
00 Payload length
Description:
Select MiFare by UID?
Addr 00 Command 55:
Req:
05 Payload length
.. Mifare UID, four bytes.
03 ??
Resp:
00 Status byte
00 Payload length
Description:
Unknown.
Block 3 on a Mifare sector contains keys and an access control list.
It is generally not accessed directly (unless being provisioned?)
Addr 00 Command 52:
Req:
05 Payload length
.. Mifare UID, four bytes.
.. Block number, 1 or 2.
Resp for Block 1:
00 Status byte
10 Payload length (1 block)
.. "SBSD"
00 00 00 00
00 00 00 00
00 4E C6 22
Resp for Block 2:
00 Status byte
10 Payload length (1 block)
.. 00 00 00 00 00 00 xx xx
xx xx xx xx xx xx xx xx
Description:
Probably reads blocks 1 and 2 from Mifare sector 0.
Block 0 contains the "vendor information" and UID.
Block 1 contents are unknown, probably AiMe DB info.
Block 2 last 10 bytes hex are printed on the card ("local unique id").
(Block 3 contains encryption keys so is not allowed to be read)
LED
---
Addr 08 Command 81:
Req:
03 Payload length
ff Red intensity
ff Green intensity
ff Blue intensity
Resp:
None! Command is not acknowledged
Description:
Set LED color