[proxmark3-svn] / client / cmdhflegic.c

#include <stdio.h>
#include <string.h>
#include "proxusb.h"
#include "data.h"
#include "ui.h"
#include "cmdparser.h"
#include "cmdhflegic.h"
#include "cmdmain.h"

static int CmdHelp(const char *Cmd);

static command_t CommandTable[] = 
{
  {"help",        CmdHelp,        1, "This help"},
  {"decode",      CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
  {"reader",      CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
  {NULL, NULL, 0, NULL}
};

int CmdHFLegic(const char *Cmd)
{
  CmdsParse(CommandTable, Cmd);
  return 0;
}

int CmdHelp(const char *Cmd)
{
  CmdsHelp(CommandTable);
  return 0;
}

/*
 *  Output BigBuf and deobfuscate LEGIC RF tag data.
 *   This is based on information given in the talk held
 *  by Henryk Ploetz and Karsten Nohl at 26c3
 *  FIXME: will crash if sample buffer does not contain valid legic data
 */
int CmdLegicDecode(const char *Cmd)
{
  int h, i, j, k, n;
  int segment_len = 0;
  int segment_flag = 0;
  int stamp_len = 0;
  int crc = 0;
  int wrp = 0;
  int wrc = 0;
  int data_buf[1032]; // receiver buffer
  char out_string[3076]; // just use big buffer - bad practice
  char token_type[4];
  int delivered = 0;

  h = 0;
  
  // copy data from proxmark into buffer
  for (i = 0; i < 256; i += 12, h += 48) {
    UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}};
    SendCommand(&c);
    WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K);
    
    for (j = 0; j < 48; j += 8) {
      for (k = 0; k < 8; k++) {
        data_buf[h+j+k] = sample_buf[j+k];
      }
      delivered += 8;
      if (delivered >= 1024)
        break;
    }
  }
    
  // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
  
  PrintAndLog("\nCDF: System Area");
  
  PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
    data_buf[0],
    data_buf[1],
    data_buf[2],
    data_buf[3],
    data_buf[4]
  );
  
  crc = data_buf[4];
 
  switch (data_buf[5]&0x7f) {
    case 0x00 ... 0x2f:
      strncpy(token_type, "IAM",sizeof(token_type));
      break;
    case 0x30 ... 0x6f:
      strcpy(token_type, "SAM");
      break;
    case 0x70 ... 0x7f:
      strcpy(token_type, "GAM");
      break;
    default:
      strcpy(token_type, "???");
      break;
  }
  
  stamp_len = 0xfc - data_buf[6];
  
  PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
    data_buf[5],
    data_buf[6],
    token_type,
    (data_buf[5]&0x80)>>7,
    stamp_len
  );
  
  PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
    data_buf[7]&0x0f,
    (data_buf[7]&0x70)>>4,
    (data_buf[7]&0x80)>>7,
    data_buf[7],
    data_buf[8]
  );
  
  PrintAndLog("Remaining Header Area");
  
  PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
      data_buf[9],
    data_buf[10],
    data_buf[11],
    data_buf[12],
    data_buf[13],
    data_buf[14],
    data_buf[15],
    data_buf[16],
    data_buf[17],
    data_buf[18],
    data_buf[19],
    data_buf[20],
    data_buf[21]
  );
  
  PrintAndLog("\nADF: User Area");
  
  i = 22;  
  for (n=0; n<64; n++) {
    segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
    segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
    
    wrp = (data_buf[i+2]^crc);
    wrc = ((data_buf[i+3]^crc)&0x70)>>4;
    
     PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
      n,
      data_buf[i]^crc,
      data_buf[i+1]^crc,
      data_buf[i+2]^crc,
      data_buf[i+3]^crc,
      segment_flag,
      (segment_flag&0x4)>>2,
      (segment_flag&0x8)>>3,
      segment_len,
      wrp,
      wrc,
      ((data_buf[i+3]^crc)&0x80)>>7,
      (data_buf[i+4]^crc)
    );
    
    i+=5;
    
    if (wrc>0) {
      PrintAndLog("WRC protected area:");
      for (k=0, j=0; k < wrc; k++, i++, j += 3) {
        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
        out_string[j+2] = ' ';
      };
        
      out_string[j] = '\0';
    
      PrintAndLog("%s", out_string);
    }
    
    if (wrp>wrc) {
      PrintAndLog("Remaining write protected area:");
      
      for (k=0, j=0; k < (wrp-wrc); k++, i++, j += 3) {
        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
        out_string[j+2] = ' ';
      };
    
      out_string[j] = '\0';
    
      PrintAndLog("%s", out_string);
      if((wrp-wrc) == 8) {
        sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
        PrintAndLog("%s", out_string);
      }
    }
    
    PrintAndLog("Remaining segment payload:");
    for (k=0, j=0; k < (segment_len - wrp - 5); k++, i++, j += 3) {
      sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
      out_string[j+2] = ' ';
    };
    
    out_string[j] = '\0';
    
    PrintAndLog("%s", out_string);
    
    // end with last segment
    if (segment_flag & 0x8)
      return 0;
  };
  return 0;
}

int CmdLegicRFRead(const char *Cmd)
{
  int byte_count=0,offset=0;
  sscanf(Cmd, "%i %i", &offset, &byte_count);
  if(byte_count == 0) byte_count = 256;
  if(byte_count + offset > 256) byte_count = 256 - offset;
  UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
  SendCommand(&c);
  return 0;
}
Commit	Line	Data
8e220a91	1	#include <stdio.h>
8e220a91	2	#include <string.h>
7fe9b0b7	3	#include "proxusb.h"
41dab153	4	#include "data.h"
41dab153	5	#include "ui.h"
7fe9b0b7	6	#include "cmdparser.h"
7fe9b0b7	7	#include "cmdhflegic.h"
669c1b80	8	#include "cmdmain.h"
7fe9b0b7	9
	10	static int CmdHelp(const char *Cmd);
	11
7fe9b0b7	12	static command_t CommandTable[] =
	13	{
	14	{"help", CmdHelp, 1, "This help"},
669c1b80	15	{"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
41dab153	16	{"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
7fe9b0b7	17	{NULL, NULL, 0, NULL}
	18	};
	19
	20	int CmdHFLegic(const char *Cmd)
	21	{
	22	CmdsParse(CommandTable, Cmd);
	23	return 0;
	24	}
	25
	26	int CmdHelp(const char *Cmd)
	27	{
	28	CmdsHelp(CommandTable);
	29	return 0;
	30	}
669c1b80	31
	32	/*
	33	* Output BigBuf and deobfuscate LEGIC RF tag data.
	34	* This is based on information given in the talk held
	35	* by Henryk Ploetz and Karsten Nohl at 26c3
	36	* FIXME: will crash if sample buffer does not contain valid legic data
	37	*/
	38	int CmdLegicDecode(const char *Cmd)
	39	{
	40	int h, i, j, k, n;
	41	int segment_len = 0;
	42	int segment_flag = 0;
	43	int stamp_len = 0;
	44	int crc = 0;
	45	int wrp = 0;
	46	int wrc = 0;
	47	int data_buf[1032]; // receiver buffer
	48	char out_string[3076]; // just use big buffer - bad practice
	49	char token_type[4];
	50	int delivered = 0;
	51
	52	h = 0;
	53
	54	// copy data from proxmark into buffer
	55	for (i = 0; i < 256; i += 12, h += 48) {
	56	UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}};
	57	SendCommand(&c);
	58	WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K);
	59
	60	for (j = 0; j < 48; j += 8) {
	61	for (k = 0; k < 8; k++) {
	62	data_buf[h+j+k] = sample_buf[j+k];
	63	}
	64	delivered += 8;
	65	if (delivered >= 1024)
	66	break;
	67	}
	68	}
	69
	70	// Output CDF System area (9 bytes) plus remaining header area (12 bytes)
	71
	72	PrintAndLog("\nCDF: System Area");
	73
	74	PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
	75	data_buf[0],
	76	data_buf[1],
	77	data_buf[2],
	78	data_buf[3],
	79	data_buf[4]
	80	);
	81
	82	crc = data_buf[4];
	83
	84	switch (data_buf[5]&0x7f) {
	85	case 0x00 ... 0x2f:
	86	strncpy(token_type, "IAM",sizeof(token_type));
	87	break;
	88	case 0x30 ... 0x6f:
	89	strcpy(token_type, "SAM");
	90	break;
	91	case 0x70 ... 0x7f:
	92	strcpy(token_type, "GAM");
	93	break;
	94	default:
95	strcpy(token_type, "???");
96	break;
97	}
98
99	stamp_len = 0xfc - data_buf[6];
100
101	PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
102	data_buf[5],
103	data_buf[6],
104	token_type,
105	(data_buf[5]&0x80)>>7,
106	stamp_len
107	);
108
109	PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
110	data_buf[7]&0x0f,
111	(data_buf[7]&0x70)>>4,
112	(data_buf[7]&0x80)>>7,
113	data_buf[7],
114	data_buf[8]
115	);
116
117	PrintAndLog("Remaining Header Area");
118
119	PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
120	data_buf[9],
121	data_buf[10],
122	data_buf[11],
123	data_buf[12],
124	data_buf[13],
125	data_buf[14],
126	data_buf[15],
127	data_buf[16],
128	data_buf[17],
129	data_buf[18],
130	data_buf[19],
131	data_buf[20],
132	data_buf[21]
133	);
134
135	PrintAndLog("\nADF: User Area");
136
41dab153	137	i = 22;
669c1b80	138	for (n=0; n<64; n++) {
	139	segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
	140	segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
	141
	142	wrp = (data_buf[i+2]^crc);
	143	wrc = ((data_buf[i+3]^crc)&0x70)>>4;
	144
	145	PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
	146	n,
	147	data_buf[i]^crc,
	148	data_buf[i+1]^crc,
	149	data_buf[i+2]^crc,
	150	data_buf[i+3]^crc,
	151	segment_flag,
	152	(segment_flag&0x4)>>2,
	153	(segment_flag&0x8)>>3,
	154	segment_len,
	155	wrp,
	156	wrc,
	157	((data_buf[i+3]^crc)&0x80)>>7,
	158	(data_buf[i+4]^crc)
	159	);
	160
	161	i+=5;
	162
	163	if (wrc>0) {
	164	PrintAndLog("WRC protected area:");
	165	for (k=0, j=0; k < wrc; k++, i++, j += 3) {
	166	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	167	out_string[j+2] = ' ';
	168	};
	169
	170	out_string[j] = '\0';
	171
	172	PrintAndLog("%s", out_string);
	173	}
	174
	175	if (wrp>wrc) {
	176	PrintAndLog("Remaining write protected area:");
	177
	178	for (k=0, j=0; k < (wrp-wrc); k++, i++, j += 3) {
	179	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	180	out_string[j+2] = ' ';
	181	};
	182
	183	out_string[j] = '\0';
	184
	185	PrintAndLog("%s", out_string);
	186	if((wrp-wrc) == 8) {
	187	sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
	188	PrintAndLog("%s", out_string);
	189	}
	190	}
	191
	192	PrintAndLog("Remaining segment payload:");
	193	for (k=0, j=0; k < (segment_len - wrp - 5); k++, i++, j += 3) {
	194	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	195	out_string[j+2] = ' ';
	196	};
	197
	198	out_string[j] = '\0';
	199
	200	PrintAndLog("%s", out_string);
	201
202	// end with last segment
203	if (segment_flag & 0x8)
204	return 0;
205	};
206	return 0;
207	}
41dab153	208
	209	int CmdLegicRFRead(const char *Cmd)
	210	{
	211	int byte_count=0,offset=0;
	212	sscanf(Cmd, "%i %i", &offset, &byte_count);
	213	if(byte_count == 0) byte_count = 256;
	214	if(byte_count + offset > 256) byte_count = 256 - offset;
	215	UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
	216	SendCommand(&c);
	217	return 0;
	218	}