forked from Dniel97/segatools
245 lines
5.8 KiB
Plaintext
245 lines
5.8 KiB
Plaintext
N.B. Quoted strings are NOT NUL-terminated unless otherwise noted.
|
|
Useful reading: https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf
|
|
|
|
(AiMe branded cards are Mifare Classic cards. Other technologies exist though)
|
|
|
|
Summary
|
|
-------
|
|
|
|
Hardware:
|
|
Assembly connector:
|
|
5V Host in
|
|
Tx;Rx;GND Host RS232 in
|
|
Tx;Rx;GND Daisy-chain out
|
|
Main board (probably LED controller):
|
|
Silk "837-15084"
|
|
CN1: Host 5V power in, ?V NFC-sub power out
|
|
CN2: Host RS232 Tx;Rx;GND in, NFC-sub Tx;Rx out
|
|
CN3: LED-Sub power and data(?) out
|
|
DIPSW1: Set to hex nibble 8.
|
|
Contains ADM3222 RS232 transceiver IC
|
|
Contains ATMega32 MCU
|
|
NFC subboard:
|
|
Sticker: Model "TN32MSEC003S"
|
|
CN1: ?V power and Tx;Rx;GND in, Tx;Rx;GND ass'y CN daisy out.
|
|
DIPSW1: Set to hex nibble 0.
|
|
Contains ATmega168 MCU
|
|
Contains ADM3202A RS232 transceiver IC
|
|
Contains shielded RF circuit
|
|
Entire non-ground-plane PCB area is visible through the chassis
|
|
torx screws lol
|
|
LED subboard:
|
|
Silk: "837-15120"
|
|
CN1: ?V power and Tx;Rx;GND in.
|
|
Five RGB LEDs and a bunch of resistors
|
|
No visible logic ICs..?
|
|
No DIPSW.
|
|
|
|
JVS framing:
|
|
E0 sync
|
|
D0 escape (+1 to unescape)
|
|
Checksum is sum of bytes after unescaping
|
|
|
|
Frame header:
|
|
Frame length (including length byte itself)
|
|
Address
|
|
Sequence no, hopefully loops before hitting esc byte...
|
|
Command byte
|
|
|
|
Bus addressing:
|
|
Low nibble set using DIPSWs
|
|
High nibble ???
|
|
Daisy chaining mechanism unknown (RS232 wires probably multi-tap)
|
|
|
|
Startup
|
|
-------
|
|
|
|
Addr 00 Command 62:
|
|
Req:
|
|
00 Payload length
|
|
Resp:
|
|
00 Status byte
|
|
00 Payload length
|
|
Description:
|
|
Unknown. Reset?
|
|
|
|
Addr 00 Command 30:
|
|
Req:
|
|
00 Payload length
|
|
Resp:
|
|
00 Status byte
|
|
17 Payload length
|
|
.. "TN32MSEC003S F/W Ver1.2E"
|
|
Description:
|
|
Get firmware version
|
|
|
|
Addr 00 Command 32:
|
|
Req:
|
|
00 Payload length
|
|
Resp:
|
|
00 Status byte
|
|
17 Payload length
|
|
.. "TN32MSEC003S H/W Ver3.0J"
|
|
Description:
|
|
Get hardware version
|
|
|
|
Addr 08 Command f5:
|
|
Req:
|
|
00 Payload length
|
|
Resp:
|
|
00 Status byte
|
|
00 Payload length
|
|
Description:
|
|
LED sub-board reset.
|
|
Won't accept LED commands until you do this.
|
|
|
|
Addr 08 Command f0:
|
|
Req:
|
|
00 Payload length
|
|
Resp:
|
|
00 Status byte
|
|
09 Payload length
|
|
.. "15084" (part nr for LED board)
|
|
FF ??
|
|
11 ??
|
|
00 ??
|
|
12 ??
|
|
Description:
|
|
Get board "info"
|
|
|
|
Addr 00 Command 54:
|
|
Req:
|
|
06 Payload length
|
|
57 'W'
|
|
43 'C'
|
|
43 'C'
|
|
46 'F'
|
|
76 'v'
|
|
32 '2'
|
|
Resp:
|
|
00 Status byte?
|
|
00 ??
|
|
Description:
|
|
Set Mifare KeyA.
|
|
"WCCF" might refer this this SEGA arcade game:
|
|
https://en.wikipedia.org/wiki/World_Club_Champion_Football
|
|
It's quite old and has AiMe readers, maybe where they first appeared?
|
|
|
|
Addr 00 Command 50:
|
|
Req:
|
|
06 Payload length
|
|
60 ??
|
|
90 ??
|
|
D0 ?? (This is escaped of course)
|
|
06 ??
|
|
32 ??
|
|
F5 ??
|
|
Resp:
|
|
00 Status byte
|
|
00 Payload length
|
|
Description:
|
|
Possibly Mifare KeyB.
|
|
|
|
Polling
|
|
-------
|
|
|
|
Addr 00 Command 40:
|
|
Req:
|
|
01 Payload length
|
|
03 ??
|
|
Resp:
|
|
00 Status byte
|
|
00 Payload length
|
|
Description:
|
|
Poll some other NFC technology?
|
|
|
|
Addr 00 Command 42:
|
|
Req:
|
|
00 Payload length
|
|
Resp if no MiFare card:
|
|
00 Status byte
|
|
01 Payload length
|
|
00 (represents nothing i guess)
|
|
Resp if MiFare card:
|
|
00 Status byte?
|
|
07 Payload length
|
|
01 Chunk length?
|
|
10 ?? Block size maybe?
|
|
04 Chunk length?
|
|
.. Mifare UID, four bytes.
|
|
Description:
|
|
Check for Mifare card presence?
|
|
|
|
Addr 00 Command 41:
|
|
Req:
|
|
00 Payload length
|
|
Resp:
|
|
00 Status byte
|
|
00 Payload length
|
|
Description:
|
|
Unknown. Poll some other NFC technology?
|
|
|
|
Card read
|
|
---------
|
|
|
|
Addr 00 Command 43:
|
|
Req:
|
|
04 Payload length
|
|
.. Mifare UID, four bytes.
|
|
Resp:
|
|
00 Status byte
|
|
00 Payload length
|
|
Description:
|
|
Select MiFare by UID?
|
|
|
|
Addr 00 Command 55:
|
|
Req:
|
|
05 Payload length
|
|
.. Mifare UID, four bytes.
|
|
03 ??
|
|
Resp:
|
|
00 Status byte
|
|
00 Payload length
|
|
Description:
|
|
Unknown.
|
|
Block 3 on a Mifare sector contains keys and an access control list.
|
|
It is generally not accessed directly (unless being provisioned?)
|
|
|
|
Addr 00 Command 52:
|
|
Req:
|
|
05 Payload length
|
|
.. Mifare UID, four bytes.
|
|
.. Block number, 1 or 2.
|
|
Resp for Block 1:
|
|
00 Status byte
|
|
10 Payload length (1 block)
|
|
.. "SBSD"
|
|
00 00 00 00
|
|
00 00 00 00
|
|
00 4E C6 22
|
|
Resp for Block 2:
|
|
00 Status byte
|
|
10 Payload length (1 block)
|
|
.. 00 00 00 00 00 00 xx xx
|
|
xx xx xx xx xx xx xx xx
|
|
Description:
|
|
Probably reads blocks 1 and 2 from Mifare sector 0.
|
|
Block 0 contains the "vendor information" and UID.
|
|
Block 1 contents are unknown, probably AiMe DB info.
|
|
Block 2 last 10 bytes hex are printed on the card ("local unique id").
|
|
(Block 3 contains encryption keys so is not allowed to be read)
|
|
|
|
LED
|
|
---
|
|
|
|
Addr 08 Command 81:
|
|
Req:
|
|
03 Payload length
|
|
ff Red intensity
|
|
ff Green intensity
|
|
ff Blue intensity
|
|
Resp:
|
|
None! Command is not acknowledged
|
|
Description:
|
|
Set LED color
|