Legic Tag Simulator (#666)
[proxmark3-svn] / client / cmdhflegic.c
CommitLineData
a553f267 1//-----------------------------------------------------------------------------
2// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// High frequency Legic commands
9//-----------------------------------------------------------------------------
10
ad939de5 11#include "cmdhflegic.h"
12
8e220a91 13#include <stdio.h>
14#include <string.h>
43534cba 15#include <inttypes.h>
ad939de5 16#include "comms.h"
41dab153 17#include "ui.h"
7fe9b0b7 18#include "cmdparser.h"
669c1b80 19#include "cmdmain.h"
31d1caa5 20#include "util.h"
ad939de5 21
7fe9b0b7 22static int CmdHelp(const char *Cmd);
23
7fe9b0b7 24static command_t CommandTable[] =
25{
26 {"help", CmdHelp, 1, "This help"},
669c1b80 27 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
41dab153 28 {"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
3612a8a8 29 {"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
30 {"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
1b902aa0 31 {"sim", CmdLegicRfSim, 0, "[tagtype, 0:MIM22, 1:MIM256, 2:MIM1024] Start tag simulator (use after load or read)"},
3612a8a8 32 {"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
33 {"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
7fe9b0b7 34 {NULL, NULL, 0, NULL}
35};
36
37int CmdHFLegic(const char *Cmd)
38{
39 CmdsParse(CommandTable, Cmd);
40 return 0;
41}
42
43int CmdHelp(const char *Cmd)
44{
45 CmdsHelp(CommandTable);
46 return 0;
47}
669c1b80 48
49/*
50 * Output BigBuf and deobfuscate LEGIC RF tag data.
51 * This is based on information given in the talk held
52 * by Henryk Ploetz and Karsten Nohl at 26c3
669c1b80 53 */
54int CmdLegicDecode(const char *Cmd)
55{
4961e292 56 int i, j, k, n;
669c1b80 57 int segment_len = 0;
58 int segment_flag = 0;
59 int stamp_len = 0;
60 int crc = 0;
61 int wrp = 0;
62 int wrc = 0;
bf824347 63 uint8_t data_buf[1053]; // receiver buffer
669c1b80 64 char out_string[3076]; // just use big buffer - bad practice
65 char token_type[4];
669c1b80 66
67 // copy data from proxmark into buffer
babca445 68 GetFromBigBuf(data_buf, sizeof(data_buf), 0, NULL, -1, false);
669c1b80 69
70 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
71
72 PrintAndLog("\nCDF: System Area");
73
74 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
75 data_buf[0],
76 data_buf[1],
77 data_buf[2],
78 data_buf[3],
79 data_buf[4]
80 );
81
82 crc = data_buf[4];
83
84 switch (data_buf[5]&0x7f) {
85 case 0x00 ... 0x2f:
86 strncpy(token_type, "IAM",sizeof(token_type));
87 break;
88 case 0x30 ... 0x6f:
89 strcpy(token_type, "SAM");
90 break;
91 case 0x70 ... 0x7f:
92 strcpy(token_type, "GAM");
93 break;
94 default:
95 strcpy(token_type, "???");
96 break;
97 }
98
99 stamp_len = 0xfc - data_buf[6];
100
101 PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
102 data_buf[5],
103 data_buf[6],
104 token_type,
105 (data_buf[5]&0x80)>>7,
106 stamp_len
107 );
108
109 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
110 data_buf[7]&0x0f,
111 (data_buf[7]&0x70)>>4,
112 (data_buf[7]&0x80)>>7,
113 data_buf[7],
114 data_buf[8]
115 );
116
117 PrintAndLog("Remaining Header Area");
118
119 PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
120 data_buf[9],
121 data_buf[10],
122 data_buf[11],
123 data_buf[12],
124 data_buf[13],
125 data_buf[14],
126 data_buf[15],
127 data_buf[16],
128 data_buf[17],
129 data_buf[18],
130 data_buf[19],
131 data_buf[20],
132 data_buf[21]
133 );
134
135 PrintAndLog("\nADF: User Area");
136
41dab153 137 i = 22;
669c1b80 138 for (n=0; n<64; n++) {
139 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
140 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
141
142 wrp = (data_buf[i+2]^crc);
143 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
144
145 PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
146 n,
147 data_buf[i]^crc,
148 data_buf[i+1]^crc,
149 data_buf[i+2]^crc,
150 data_buf[i+3]^crc,
151 segment_flag,
152 (segment_flag&0x4)>>2,
153 (segment_flag&0x8)>>3,
154 segment_len,
155 wrp,
156 wrc,
157 ((data_buf[i+3]^crc)&0x80)>>7,
158 (data_buf[i+4]^crc)
159 );
160
161 i+=5;
162
163 if (wrc>0) {
164 PrintAndLog("WRC protected area:");
31332265 165 for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80 166 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
167 out_string[j+2] = ' ';
168 };
169
170 out_string[j] = '\0';
171
172 PrintAndLog("%s", out_string);
173 }
174
175 if (wrp>wrc) {
176 PrintAndLog("Remaining write protected area:");
177
31332265 178 for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80 179 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
180 out_string[j+2] = ' ';
181 };
182
183 out_string[j] = '\0';
184
185 PrintAndLog("%s", out_string);
186 if((wrp-wrc) == 8) {
187 sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
188 PrintAndLog("%s", out_string);
189 }
190 }
191
192 PrintAndLog("Remaining segment payload:");
31332265 193 for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80 194 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
195 out_string[j+2] = ' ';
196 };
197
198 out_string[j] = '\0';
199
200 PrintAndLog("%s", out_string);
201
202 // end with last segment
203 if (segment_flag & 0x8)
204 return 0;
205 };
206 return 0;
207}
41dab153 208
209int CmdLegicRFRead(const char *Cmd)
210{
211 int byte_count=0,offset=0;
212 sscanf(Cmd, "%i %i", &offset, &byte_count);
a2b1414f 213 if(byte_count == 0) byte_count = -1;
214 if(byte_count + offset > 1024) byte_count = 1024 - offset;
41dab153 215 UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
216 SendCommand(&c);
217 return 0;
218}
3612a8a8 219
220int CmdLegicLoad(const char *Cmd)
221{
b915fda3 222 char filename[FILE_PATH_SIZE] = {0x00};
223 int len = 0;
224
225 if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
226 PrintAndLog("It loads datasamples from the file `filename`");
227 PrintAndLog("Usage: hf legic load <file name>");
228 PrintAndLog(" sample: hf legic load filename");
229 return 0;
230 }
231
232 len = strlen(Cmd);
233 if (len > FILE_PATH_SIZE) {
234 PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
235 return 0;
236 }
237 memcpy(filename, Cmd, len);
238
239 FILE *f = fopen(filename, "r");
3612a8a8 240 if(!f) {
241 PrintAndLog("couldn't open '%s'", Cmd);
242 return -1;
243 }
244 char line[80]; int offset = 0; unsigned int data[8];
245 while(fgets(line, sizeof(line), f)) {
246 int res = sscanf(line, "%x %x %x %x %x %x %x %x",
247 &data[0], &data[1], &data[2], &data[3],
248 &data[4], &data[5], &data[6], &data[7]);
249 if(res != 8) {
250 PrintAndLog("Error: could not read samples");
251 fclose(f);
252 return -1;
253 }
8c8317a5 254 UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 1, 0}};
3612a8a8 255 int j; for(j = 0; j < 8; j++) {
256 c.d.asBytes[j] = data[j];
257 }
258 SendCommand(&c);
902cb3c0 259 WaitForResponse(CMD_ACK, NULL);
3612a8a8 260 offset += 8;
261 }
262 fclose(f);
263 PrintAndLog("loaded %u samples", offset);
264 return 0;
265}
266
267int CmdLegicSave(const char *Cmd)
268{
3612a8a8 269 int requested = 1024;
270 int offset = 0;
4961e292 271 int delivered = 0;
b915fda3 272 char filename[FILE_PATH_SIZE];
4961e292 273 uint8_t got[1024];
274
3612a8a8 275 sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
3612a8a8 276
4961e292 277 /* If no length given save entire legic read buffer */
278 /* round up to nearest 8 bytes so the saved data can be used with legicload */
3612a8a8 279 if (requested == 0) {
4961e292 280 requested = 1024;
3612a8a8 281 }
4961e292 282 if (requested % 8 != 0) {
283 int remainder = requested % 8;
284 requested = requested + 8 - remainder;
285 }
4961e292 286 if (offset + requested > sizeof(got)) {
287 PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
288 return 0;
289 }
290
3612a8a8 291 FILE *f = fopen(filename, "w");
292 if(!f) {
293 PrintAndLog("couldn't open '%s'", Cmd+1);
294 return -1;
295 }
296
babca445 297 GetFromBigBuf(got, requested, offset, NULL, -1, false);
4961e292 298
299 for (int j = 0; j < requested; j += 8) {
300 fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
301 got[j+0],
302 got[j+1],
303 got[j+2],
304 got[j+3],
305 got[j+4],
306 got[j+5],
307 got[j+6],
308 got[j+7]
309 );
310 delivered += 8;
3612a8a8 311 if (delivered >= requested)
312 break;
313 }
314
315 fclose(f);
316 PrintAndLog("saved %u samples", delivered);
317 return 0;
318}
319
320int CmdLegicRfSim(const char *Cmd)
321{
322 UsbCommand c={CMD_SIMULATE_TAG_LEGIC_RF};
1b902aa0
A
323 c.arg[0] = 1;
324 sscanf(Cmd, " %" SCNi64, &c.arg[0]);
3612a8a8 325 SendCommand(&c);
326 return 0;
327}
328
329int CmdLegicRfWrite(const char *Cmd)
330{
331 UsbCommand c={CMD_WRITER_LEGIC_RF};
43534cba 332 int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64, &c.arg[0], &c.arg[1]);
3612a8a8 333 if(res != 2) {
334 PrintAndLog("Please specify the offset and length as two hex strings");
335 return -1;
336 }
337 SendCommand(&c);
338 return 0;
339}
340
341int CmdLegicRfFill(const char *Cmd)
342{
343 UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
43534cba 344 int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64 " 0x%" SCNx64, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
3612a8a8 345 if(res != 3) {
346 PrintAndLog("Please specify the offset, length and value as two hex strings");
347 return -1;
348 }
349
350 int i;
8c8317a5 351 UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 1, 0}};
3612a8a8 352 for(i = 0; i < 48; i++) {
353 c.d.asBytes[i] = cmd.arg[2];
354 }
355 for(i = 0; i < 22; i++) {
356 c.arg[0] = i*48;
357 SendCommand(&c);
902cb3c0 358 WaitForResponse(CMD_ACK,NULL);
3612a8a8 359 }
360 SendCommand(&cmd);
361 return 0;
362 }
363
Impressum, Datenschutz