Add HW,FW notes on NFC assembly

2018-11-28 11:49:55 -05:00 · 2018-11-28 11:49:55 -05:00 · 9159be00a2
commit 9159be00a2
parent 2c6d48ce27
1 changed files with 244 additions and 0 deletions
--- a/doc/nfc.txt
+++ b/doc/nfc.txt
@ -0,0 +1,244 @@
+N.B. Quoted strings are NOT NUL-terminated unless otherwise noted.
+Useful reading: https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf
+
+(AiMe branded cards are Mifare Classic cards. Other technologies exist though)
+
+Summary
+-------
+
+Hardware:
+    Assembly connector:
+        5V Host in
+        Tx;Rx;GND Host RS232 in
+        Tx;Rx;GND Daisy-chain out
+    Main board (probably LED controller):
+        Silk "837-15084"
+        CN1: Host 5V power in, ?V NFC-sub power out
+        CN2: Host RS232 Tx;Rx;GND in, NFC-sub Tx;Rx out
+        CN3: LED-Sub power and data(?) out
+        DIPSW1: Set to hex nibble 8.
+        Contains ADM3222 RS232 transceiver IC
+        Contains ATMega32 MCU
+    NFC subboard:
+        Sticker: Model "TN32MSEC003S"
+        CN1: ?V power and Tx;Rx;GND in, Tx;Rx;GND ass'y CN daisy out.
+        DIPSW1: Set to hex nibble 0.
+        Contains ATmega168 MCU
+        Contains ADM3202A RS232 transceiver IC
+        Contains shielded RF circuit
+        Entire non-ground-plane PCB area is visible through the chassis
+        torx screws lol
+    LED subboard:
+        Silk: "837-15120"
+        CN1: ?V power and Tx;Rx;GND in.
+        Five RGB LEDs and a bunch of resistors
+        No visible logic ICs..?
+        No DIPSW.
+
+JVS framing:
+    E0 sync
+    D0 escape (+1 to unescape)
+    Checksum is sum of bytes after unescaping
+
+Frame header:
+    Frame length (including length byte itself)
+    Address
+    Sequence no, hopefully loops before hitting esc byte...
+    Command byte
+
+Bus addressing:
+    Low nibble set using DIPSWs
+    High nibble ???
+    Daisy chaining mechanism unknown (RS232 wires probably multi-tap)
+
+Startup
+-------
+
+Addr 00 Command 62:
+    Req:
+        00  Payload length
+    Resp:
+        00  Status byte
+        00  Payload length
+    Description:
+        Unknown. Reset?
+
+Addr 00 Command 30:
+    Req:
+        00  Payload length
+    Resp:
+        00  Status byte
+        17  Payload length
+        ..  "TN32MSEC003S F/W Ver1.2E"
+    Description:
+        Get firmware version
+
+Addr 00 Command 32:
+    Req:
+        00  Payload length
+    Resp:
+        00  Status byte
+        17  Payload length
+        ..  "TN32MSEC003S H/W Ver3.0J"
+    Description:
+        Get hardware version
+
+Addr 08 Command f5:
+    Req:
+        00  Payload length
+    Resp:
+        00  Status byte
+        00  Payload length
+    Description:
+        LED sub-board reset.
+        Won't accept LED commands until you do this.
+
+Addr 08 Command f0:
+    Req:
+        00  Payload length
+    Resp:
+        00  Status byte
+        09  Payload length
+        ..  "15084" (part nr for LED board)
+        FF  ??
+        11  ??
+        00  ??
+        12  ??
+    Description:
+        Get board "info"
+
+Addr 00 Command 54:
+    Req:
+        06  Payload length
+        57  'W'
+        43  'C'
+        43  'C'
+        46  'F'
+        76  'v'
+        32  '2'
+    Resp:
+        00  Status byte?
+        00  ??
+    Description:
+        Set Mifare KeyA.
+        "WCCF" might refer this this SEGA arcade game:
+        https://en.wikipedia.org/wiki/World_Club_Champion_Football
+        It's quite old and has AiMe readers, maybe where they first appeared?
+
+Addr 00 Command 50:
+    Req:
+        06  Payload length
+        60  ??
+        90  ??
+        D0  ?? (This is escaped of course)
+        06  ??
+        32  ??
+        F5  ??
+    Resp:
+        00  Status byte
+        00  Payload length
+    Description:
+        Possibly Mifare KeyB.
+
+Polling
+-------
+
+Addr 00 Command 40:
+    Req:
+        01  Payload length
+        03  ??
+    Resp:
+        00  Status byte
+        00  Payload length
+    Description:
+        Poll some other NFC technology?
+
+Addr 00 Command 42:
+    Req:
+        00  Payload length
+    Resp if no MiFare card:
+        00  Status byte
+        01  Payload length
+        00  (represents nothing i guess)
+    Resp if MiFare card:
+        00  Status byte?
+        07  Payload length
+                01  Chunk length?
+                10  ?? Block size maybe?
+                04  Chunk length?
+                ..  Mifare UID, four bytes.
+    Description:
+        Check for Mifare card presence?
+
+Addr 00 Command 41:
+    Req:
+        00  Payload length
+    Resp:
+        00  Status byte
+        00  Payload length
+    Description:
+        Unknown. Poll some other NFC technology?
+
+Card read
+---------
+
+Addr 00 Command 43:
+    Req:
+        04  Payload length
+        ..  Mifare UID, four bytes.
+    Resp:
+        00  Status byte
+        00  Payload length
+    Description:
+        Select MiFare by UID?
+
+Addr 00 Command 55:
+    Req:
+        05  Payload length
+        ..  Mifare UID, four bytes.
+        03  ??
+    Resp:
+        00  Status byte
+        00  Payload length
+    Description:
+        Unknown.
+        Block 3 on a Mifare sector contains keys and an access control list.
+        It is generally not accessed directly (unless being provisioned?)
+
+Addr 00 Command 52:
+    Req:
+        05  Payload length
+        ..  Mifare UID, four bytes.
+        ..  Block number, 1 or 2.
+    Resp for Block 1:
+        00  Status byte
+        10  Payload length (1 block)
+        ..  "SBSD"
+            00 00 00 00
+            00 00 00 00
+            00 4E C6 22
+    Resp for Block 2:
+        00  Status byte
+        10  Payload length (1 block)
+        ..  00 00 00 00 00 00 xx xx
+            xx xx xx xx xx xx xx xx
+    Description:
+        Probably reads blocks 1 and 2 from Mifare sector 0.
+        Block 0 contains the "vendor information" and UID.
+        Block 1 contents are unknown, probably AiMe DB info.
+        Block 2 last 10 bytes hex are printed on the card ("local unique id").
+        (Block 3 contains encryption keys so is not allowed to be read)
+
+LED
+---
+
+Addr 08 Command 81:
+    Req:
+        03  Payload length
+        ff  Red intensity
+        ff  Green intensity
+        ff  Blue intensity
+    Resp:
+        None! Command is not acknowledged
+    Description:
+        Set LED color