experimental emulation over RF. slow down bit time for better RXing o…

…n a sdr

README.md

@@ -48,7 +48,7 @@ Attempting to exploit flipper hardware to some extent
 - [X] Preprocess all MSR data into bitwise arrays, including manchester encoding. 
 - [ ] Feed bits from timers
 - [ ] Sync to the lfrfid timer and experiment representing a field flip with a few cycles of a high frequency carrier, like the 125khz lfrfid one. Perhaps mag readers' frontends will lowpass such signals, and keep only the low frequency component, in an attempt to drown out nearby noise?
-- [ ] Can the CC1101 radio be used in any way? Driving it from GD0 can achieve 50us, or about 10khz. Probably more with sync/packet mode
+- [X] Can the CC1101 radio be used in any way? Driving it from GD0 can achieve 50us, or about 10khz. Probably more with sync/packet mode. **Currently under testing**. The signal is extra noisy with a very wide bandwidth, but, in theory, it can work
 - [ ] Can the 5V pin act as a coil driver? I've read reports it can drive 0.4A, other reports it can drive 2A. It boils down to bq25896 being fast enough. Ref: bq25896_enable_otg, which will probably need bypassing kernel libs and calling furi_hal_i2c_tx/furi_hal_i2c_tx whatever calls from Cube libs.
 - [ ] Investigate transparent mode on 3916
 - [ ] Can the piezo be used at its resonant frequency? I've seen LF signals being emulated with [nothing but headphones](https://github.com/smre/DCF77/blob/master/DCF77.py#L124) running a subharmonic; the wheel brake on some carts seems to react to audiofreq signals (or the RF emission from driving a speaker)

helpers/mag_helpers.c

@@ -27,11 +27,31 @@ void bitbang_raw(bool value, MagSetting* setting)
             furi_hal_gpio_write(GPIO_PIN_A, value);
             furi_hal_gpio_write(GPIO_PIN_B, !value);
             break;
+        case MagTxCC1101_434:
+        case MagTxCC1101_868:
+            furi_hal_gpio_write(&gpio_cc1101_g0, true);
+            furi_delay_us(64);
+            furi_hal_gpio_write(&gpio_cc1101_g0, false);
+            break;
         default:
             break;
     }
 }
 
+void play_bit_rf(bool bit, MagSetting* setting) {
+
+    bit_dir ^= 1;
+    furi_hal_gpio_write(&gpio_cc1101_g0, bit_dir);
+    furi_delay_us(setting->us_clock);
+
+    if(bit) {
+        bit_dir ^= 1;
+        furi_hal_gpio_write(&gpio_cc1101_g0, bit_dir);
+    }
+    furi_delay_us(setting->us_clock);
+    furi_delay_us(setting->us_interpacket);
+}
+
 void play_bit_rfid(uint8_t send_bit, MagSetting* setting) {
     // internal TX over RFID coil
     bit_dir ^= 1;
@@ -73,6 +93,10 @@ bool play_bit(uint8_t send_bit, MagSetting* setting) {
     case MagTxStateGPIOA6A7:
         play_bit_gpio(send_bit, setting);
         break;
+    case MagTxCC1101_434:
+    case MagTxCC1101_868:
+        play_bit_rf(send_bit & 0x01, setting);
+        break;
     default:
         return false;
     }
@@ -135,6 +159,28 @@ void tx_reset_gpio() {
     furi_hal_power_disable_otg();
 }
 
+void tx_init_rf(int hz)
+{
+    // presets and frequency will need some experimenting
+    furi_hal_subghz_reset();
+    furi_hal_subghz_load_preset(FuriHalSubGhzPresetOok650Async);
+    // furi_hal_subghz_load_preset(FuriHalSubGhzPresetGFSK9_99KbAsync);
+    // furi_hal_subghz_load_preset(FuriHalSubGhzPresetMSK99_97KbAsync);
+    // furi_hal_subghz_load_preset(FuriHalSubGhzPreset2FSKDev238Async);
+    // furi_hal_subghz_load_preset(FuriHalSubGhzPreset2FSKDev476Async);
+    furi_hal_gpio_init(&gpio_cc1101_g0, GpioModeOutputPushPull, GpioPullNo, GpioSpeedLow);
+    furi_hal_subghz_set_frequency_and_path(hz);
+    furi_hal_subghz_tx();
+    furi_hal_gpio_write(&gpio_cc1101_g0, false);
+}
+
+void tx_deinit_rf()
+{
+    furi_hal_gpio_write(&gpio_cc1101_g0, false);
+    furi_hal_subghz_reset();
+    furi_hal_subghz_idle();
+}
+
 bool tx_init(MagSetting* setting) {
     // Initialize configured TX method
     switch(setting->tx) {
@@ -144,6 +190,12 @@ bool tx_init(MagSetting* setting) {
     case MagTxStateGPIOA6A7:
         tx_init_gpio();
         break;
+    case MagTxCC1101_434:
+        tx_init_rf(434000000);
+        break;
+    case MagTxCC1101_868:
+        tx_init_rf(868000000);
+        break;
     default:
         return false;
     }
@@ -160,6 +212,10 @@ bool tx_reset(MagSetting* setting) {
     case MagTxStateGPIOA6A7:
         tx_reset_gpio();
         break;
+    case MagTxCC1101_434:
+    case MagTxCC1101_868:
+        tx_deinit_rf();
+        break;
     default:
         return false;
     }

helpers/mag_helpers.h

@@ -26,4 +26,6 @@ uint16_t add_bit(bool value, uint8_t* out, uint16_t count);
 uint16_t add_bit_manchester(bool value, uint8_t* out, uint16_t count);
 uint16_t msr_encode(char* data, uint8_t* out_manchester, uint8_t* out_raw, uint8_t track_bits, uint8_t track_ascii_offset);
 void debug_msr_string(char* data,  uint8_t track_bits, uint8_t track_ascii_offset);
-void mag_spoof_bitwise(Mag* mag);
+void mag_spoof_bitwise(Mag* mag);
+void tx_deinit_rf();
+void tx_init_rf(int hz);

helpers/mag_types.h

@@ -29,4 +29,6 @@ typedef enum {
 typedef enum {
     MagTxStateRFID,
     MagTxStateGPIOA6A7,
+    MagTxCC1101_434,
+    MagTxCC1101_868,
 } MagTxState;

mag_i.h

@@ -8,6 +8,8 @@
 #include <furi.h>
 #include <furi_hal.h>
 #include <furi/core/log.h>
+#include <furi_hal_gpio.h>
+#include <furi_hal_resources.h>
 
 #include <gui/gui.h>
 #include <gui/view.h>

scenes/mag_scene_emulate_config.c

@@ -10,14 +10,19 @@ enum MagSettingIndex {
     MagSettingIndexInterpacket,
 };
 
-#define TX_COUNT 2
+#define TX_COUNT 4
 const char* const tx_text[TX_COUNT] = {
     "RFID",
     "A6/A7",
+    "434MHz",
+    "868MHz",
 };
 const uint32_t tx_value[TX_COUNT] = {
     MagTxStateRFID,
     MagTxStateGPIOA6A7,
+    MagTxCC1101_434,
+    MagTxCC1101_868,
+
 };
 
 #define TRACK_COUNT 3