I've been trying to design a module that will allow me to modify selected slave responses on an I2C bus. Here is the original bus configuration (the pull-ups and power connections are not shown for clarity:
There's only 2 devices on this bus and it's only 100kHz. A controller MCU (I2C master) and the RFID card reader (I2C slave) NXP PN512. I can't modify the controller firmware or change the I2C bus transactions. The good part is that the Controller sends only 2 types of transactions:
Master (Write Register) - <s><address+W><register number><data><p>
Master (Read Register) - <s><address+W><register number><p><s><address+R><data><p>
What I want to do is to replace selected data bytes during the Master register read with my own bytes. I can send the register numbers the MCU wants to read to my PC over UART (921.6kbaud). I can process them in C/C++ or Python there. When I receive the register number whose value needs to be replaced I can send a fake byte back to my device and it will take care of sending it back to the controller replacing the original card response.
At first I split the I2C bus into two buses:
I tried Arduino Nano and later a CPLD using clock stretching. ATmega328 hardware I2C facing the MCU controller could not keep up as sometimes the start sequence was generated sooner than 5us after previous stop cycle. So every now and then the AVR was NAK'ing a read transaction.
The CPLD could handle the stop/start speed it turned out the bus stretching was disabled in the MCU.
I came up with an idea that I can "predict" Master register read by detecting a single byte write since I'm sure that it's followed by a read. It seems that I had enough time during the following read cycle address write to bring in the byte from the slave. That did not quite work. The bus transactions seemed fine at the beginning (approx. first 5 seconds) but then the controller was ceasing all communications on the bus as if it detected that it's not directly talking to tag read.
The card reader can also generate interrupts to the master. The IRQs are a timer or event based. I attributed the problem to the delay I was inherently introducing on the bus. I might have been wrong but I came up with another "zero-delay" design.
The idea is that I can only break the SDA line and leave the SCL line connected between the master and the slave. This way I can still replace bytes on the data line in either direction. The design proved to be more complicated as I have to control the SDA line direction based on the bus cycle.
Here is the VHDL code that handles the bus transactions and sends hex bytes over UART to the computer. Receiving bytes from the computer is not yet implemented:
library ieee;
use ieee.std_logic_1164.all;
use ieee.numeric_std.all;
entity I2C_Sniffer is
port (
clk : in std_logic;
scl_master : in std_logic;
sda_master : inout std_logic;
sda_slave : inout std_logic;
tx : out std_logic
);
end entity I2C_Sniffer;
architecture arch of I2C_Sniffer is
signal clkDiv: std_logic_vector(7 downto 0) := (others => '0');
type I2C_STATE is (I2C_IDLE, I2C_MASTER_WRITE, I2C_SLAVE_ACK, I2C_MASTER_READ, I2C_MASTER_ACK);
signal i2cState: I2C_STATE := I2C_IDLE;
type I2C_BUS_DIR is (MASTER_TO_SLAVE, SLAVE_TO_MASTER);
signal i2cBusDir: I2C_BUS_DIR := MASTER_TO_SLAVE;
signal i2cRxData: std_logic_vector(7 downto 0);
signal i2cCntr: integer range 0 to 8 := 0;
signal i2cAddr: std_logic := '1';
signal i2cCmd: std_logic := '0';
signal scl_d: std_logic := '1';
signal scl: std_logic := '1';
signal sda_d: std_logic := '1';
signal sda: std_logic := '1';
--Strobes for SCL edges and Start/Stop bits
signal start_strobe : std_logic := '0';
signal stop_strobe : std_logic := '0';
signal scl_rising_strobe : std_logic := '0';
signal scl_falling_strobe : std_logic := '0';
type UART_STATE is (UART_IDLE, UART_START, UART_DATA, UART_STOP);
signal uartState: UART_STATE := UART_IDLE;
signal uartTxRdy: std_logic := '0';
signal uartTxData: std_logic_vector(7 downto 0);
signal uartCntr: integer range 0 to 8 := 0;
begin
CLK_DIV: process (clk)
begin
if rising_edge(clk) then
clkDiv <= std_logic_vector(unsigned(clkDiv) + 1);
end if;
end process;
I2C_STROBES: process (clk)
begin
if rising_edge(clk) then
--Pipelined SDA and SCL signals
scl_d <= scl_master;
scl <= scl_d;
scl_rising_strobe <= '0';
if scl = '0' and scl_d = '1' then
scl_rising_strobe <= '1';
end if;
scl_falling_strobe <= '0';
if scl = '1' and scl_d = '0' then
scl_falling_strobe <= '1';
end if;
if i2cBusDir = MASTER_TO_SLAVE then
sda_d <= sda_master;
sda <= sda_d;
else
sda_d <= sda_slave;
sda <= sda_d;
end if;
start_strobe <= '0';
if sda_d = '0' and sda = '1' and scl = '1' and scl_d = '1' then
start_strobe <= '1';
end if;
stop_strobe <= '0';
if sda_d = '1' and sda = '0' and scl = '1' and scl_d = '1' then
stop_strobe <= '1';
end if;
end if;
end process;
BUS_DIR: process(sda_master, sda_slave, i2cBusDir)
begin
if i2cBusDir = MASTER_TO_SLAVE then
sda_slave <= sda_master;
sda_master <= 'Z';
else
sda_master <= sda_slave;
sda_slave <= 'Z';
end if;
end process;
I2C: process(clk)
begin
if rising_edge(clk) then
uartTxRdy <= '0';
case i2cState is
when I2C_IDLE =>
i2cBusDir <= MASTER_TO_SLAVE;
if start_strobe = '1' then
i2cAddr <= '1';
i2cCntr <= 0;
i2cState <= I2C_MASTER_WRITE;
end if;
-- Master Write (Address/Data)
when I2C_MASTER_WRITE =>
i2cBusDir <= MASTER_TO_SLAVE;
if stop_strobe = '1' then
i2cState <= I2C_IDLE;
uartTxData <= "00001010";
uartTxRdy <= '1';
end if;
if scl_rising_strobe = '1' then
if i2cCntr <= 7 then
i2cRxData(7 - i2cCntr) <= sda;
i2cCntr <= i2cCntr + 1;
end if;
end if;
if i2cCntr = 4 then
case i2cRxData(7 downto 4) is
when "0000" => uartTxData <= "00110000"; --0
when "0001" => uartTxData <= "00110001"; --1
when "0010" => uartTxData <= "00110010"; --2
when "0011" => uartTxData <= "00110011"; --3
when "0100" => uartTxData <= "00110100"; --4
when "0101" => uartTxData <= "00110101"; --5
when "0110" => uartTxData <= "00110110"; --6
when "0111" => uartTxData <= "00110111"; --7
when "1000" => uartTxData <= "00111000"; --8
when "1001" => uartTxData <= "00111001"; --9
when "1010" => uartTxData <= "01000001"; --A
when "1011" => uartTxData <= "01000010"; --B
when "1100" => uartTxData <= "01000011"; --C
when "1101" => uartTxData <= "01000100"; --D
when "1110" => uartTxData <= "01000101"; --E
when "1111" => uartTxData <= "01000110"; --F
when others => uartTxData <= "00111111"; --?
end case;
uartTxRdy <= '1';
end if;
if i2cCntr = 8 then
case i2cRxData(3 downto 0) is
when "0000" => uartTxData <= "00110000"; --0
when "0001" => uartTxData <= "00110001"; --1
when "0010" => uartTxData <= "00110010"; --2
when "0011" => uartTxData <= "00110011"; --3
when "0100" => uartTxData <= "00110100"; --4
when "0101" => uartTxData <= "00110101"; --5
when "0110" => uartTxData <= "00110110"; --6
when "0111" => uartTxData <= "00110111"; --7
when "1000" => uartTxData <= "00111000"; --8
when "1001" => uartTxData <= "00111001"; --9
when "1010" => uartTxData <= "01000001"; --A
when "1011" => uartTxData <= "01000010"; --B
when "1100" => uartTxData <= "01000011"; --C
when "1101" => uartTxData <= "01000100"; --D
when "1110" => uartTxData <= "01000101"; --E
when "1111" => uartTxData <= "01000110"; --F
when others => uartTxData <= "00111111"; --?
end case;
uartTxRdy <= '1';
end if;
if i2cCntr = 8 then
if scl_falling_strobe = '1' then
i2cState <= I2C_SLAVE_ACK;
if i2cAddr = '1' then
i2cCmd <= i2cRxData(0);
i2cAddr <= '0';
end if;
end if;
end if;
when I2C_SLAVE_ACK =>
i2cBusDir <= SLAVE_TO_MASTER;
if scl_falling_strobe = '1' then
i2cCntr <= 0;
if i2cCmd = '0' then
i2cState <= I2C_MASTER_WRITE;
else
i2cState <= I2C_MASTER_READ;
end if;
end if;
when I2C_MASTER_READ =>
i2cBusDir <= SLAVE_TO_MASTER;
if stop_strobe = '1' then
i2cState <= I2C_IDLE;
uartTxData <= "00001010";
uartTxRdy <= '1';
end if;
if scl_rising_strobe = '1' then
if i2cCntr <= 7 then
i2cRxData(7 - i2cCntr) <= sda;
i2cCntr <= i2cCntr + 1;
end if;
end if;
if i2cCntr = 4 then
case i2cRxData(7 downto 4) is
when "0000" => uartTxData <= "00110000"; --0
when "0001" => uartTxData <= "00110001"; --1
when "0010" => uartTxData <= "00110010"; --2
when "0011" => uartTxData <= "00110011"; --3
when "0100" => uartTxData <= "00110100"; --4
when "0101" => uartTxData <= "00110101"; --5
when "0110" => uartTxData <= "00110110"; --6
when "0111" => uartTxData <= "00110111"; --7
when "1000" => uartTxData <= "00111000"; --8
when "1001" => uartTxData <= "00111001"; --9
when "1010" => uartTxData <= "01000001"; --A
when "1011" => uartTxData <= "01000010"; --B
when "1100" => uartTxData <= "01000011"; --C
when "1101" => uartTxData <= "01000100"; --D
when "1110" => uartTxData <= "01000101"; --E
when "1111" => uartTxData <= "01000110"; --F
when others => uartTxData <= "00111111"; --?
end case;
uartTxRdy <= '1';
end if;
if i2cCntr = 8 then
case i2cRxData(3 downto 0) is
when "0000" => uartTxData <= "00110000"; --0
when "0001" => uartTxData <= "00110001"; --1
when "0010" => uartTxData <= "00110010"; --2
when "0011" => uartTxData <= "00110011"; --3
when "0100" => uartTxData <= "00110100"; --4
when "0101" => uartTxData <= "00110101"; --5
when "0110" => uartTxData <= "00110110"; --6
when "0111" => uartTxData <= "00110111"; --7
when "1000" => uartTxData <= "00111000"; --8
when "1001" => uartTxData <= "00111001"; --9
when "1010" => uartTxData <= "01000001"; --A
when "1011" => uartTxData <= "01000010"; --B
when "1100" => uartTxData <= "01000011"; --C
when "1101" => uartTxData <= "01000100"; --D
when "1110" => uartTxData <= "01000101"; --E
when "1111" => uartTxData <= "01000110"; --F
when others => uartTxData <= "00111111"; --?
end case;
uartTxRdy <= '1';
end if;
if i2cCntr = 8 and scl_falling_strobe = '1' then
i2cState <= I2C_MASTER_ACK;
end if;
when I2C_MASTER_ACK =>
i2cBusDir <= MASTER_TO_SLAVE;
if scl_falling_strobe = '1' then
i2cCntr <= 0;
end if;
if stop_strobe = '1' then
i2cState <= I2C_IDLE;
uartTxData <= "00001010"; -- \n
uartTxRdy <= '1';
end if;
end case;
end if;
end process;
UART: process (clk, clkDiv(1), uartTxRdy)
begin
if rising_edge(clk) then
case uartState is
when UART_IDLE =>
if uartTxRdy = '1' then
uartState <= UART_START;
end if;
when UART_START =>
if clkDiv(1 downto 0) = "00" then
tx <= '0';
uartState <= UART_DATA;
uartCntr <= 0;
end if;
when UART_DATA =>
if clkDiv(1 downto 0) = "00" then
if uartCntr <= 7 then
uartCntr <= uartCntr + 1;
tx <= uartTxData(uartCntr);
else
tx <= '1';
uartState <= UART_STOP;
end if;
end if;
when UART_STOP =>
if clkDiv(1 downto 0) = "00" then
tx <= '1';
uartState <= UART_IDLE;
end if;
end case;
end if;
end process;
end architecture arch;
Below are the bus transations captured with the CPLD controlling the SDA line.
Register write:
Register read:
You can see a few glitches when the bus direction changes. That's caused by the differences in timing between the CPLD changing the bus direction and the card reader generating an ACK. The ACK level seems to be stable on the rising edge of the SCL. As far as I know that's all you need.
With this thing in place the controller behaves the same way as with the split buses suspending any bus activity within a few seconds.
I also test that w Arduino that mocks that MCU and generates bus traffic for me and it looks like Arduino also freezes every now and then. So I guess I may have some kind of issue with the VHDL state machine where under some conditions I get stuck in one state with no way out.
Any ideas?
Best Answer
I think that attempting cutsey hacks like you have been is asking for trouble, with exactly the kind of symptoms you are running into. You are basically trying to cheat and hope you don't get caught.
The one thing you haven't tried, according to your description, is a full emulation of this card reader thing. You haven't really explained what exactly it does and how complicated it is, but judging from what the master is sending it's not that complicated.
Use a microcontroller with hardware IIC slave capability. That is connected to the master. The firmware emulates the card reader. Since the only thing the master ever reads is a sequence of registers, the other part of the firmware communicates completely asynchronously with the card reader to get information from it and to control it. This also means that the reset and IRQ lines are separate too.
If done right, this has to work, as there is no cheating going on. The card reader sees a controller sending it commands and doing reads exactly how it was intended to be used. This includes responding to IRQ events.
The master thinks it's talking directly to a real card reader because you emulate all its operations just like the real thing, including the reset and IRQ behavior.
This may sound like more work than some quick and dirty jamming a different byte onto the bus hack, but as you found that's not so quick, and may always have some timing issues. With a full emulation, all timing constraints are lifted. If your emulation hasn't yet caught up to something the card reader has done, then it acts to the master like it hasn't happened yet. You basically pretend nothing new has happened until your emulation is ready to respond to the event in all aspects.
This means you really have two asynchronous parts of the firmware: The IIC emulation of the reader presented to the master, and a full card reader driver that allows you to keep all its state live in your internal memory.
Since you're not cheating, this has to work if done right. The only system-level issue is that there will be some delay in the master seeing and causing card reader actions than the existing system. This doesn't sound like a big deal for a "card reader", and considering this delay would likely be 10s of milliseconds at worst. It certainly should not be noticeable on a human time scale.
Note that the communication between your emulator and the card reader isn't limited to the 100 kbits/s currently used. You should run that as fast as the card reader and your hardware allows. After all, on that link you'll be the master, so you own the clock. Again, with proper firmware architecture and asynchronous tasks, this should not matter. In fact, your driver will probably communicate more often and get more data from the card reader than the master gets from your emulator.