[proxmark3-svn] / client / cmdhflegic.c

//-----------------------------------------------------------------------------
// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// High frequency Legic commands
//-----------------------------------------------------------------------------

#include <stdio.h>
#include <string.h>
#include <inttypes.h>
#include "proxmark3.h"
#include "ui.h"
#include "cmdparser.h"
#include "cmdhflegic.h"
#include "cmdmain.h"
#include "util.h"
static int CmdHelp(const char *Cmd);

static command_t CommandTable[] = 
{
  {"help",        CmdHelp,        1, "This help"},
  {"decode",      CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
  {"reader",      CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
  {"save",        CmdLegicSave,   0, "<filename> [<length>] -- Store samples"},
  {"load",        CmdLegicLoad,   0, "<filename> -- Restore samples"},
  {"sim",         CmdLegicRfSim,  0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
  {"write",       CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
  {"fill",        CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
  {NULL, NULL, 0, NULL}
};

int CmdHFLegic(const char *Cmd)
{
  CmdsParse(CommandTable, Cmd);
  return 0;
}

int CmdHelp(const char *Cmd)
{
  CmdsHelp(CommandTable);
  return 0;
}

/*
 *  Output BigBuf and deobfuscate LEGIC RF tag data.
 *   This is based on information given in the talk held
 *  by Henryk Ploetz and Karsten Nohl at 26c3
 */
int CmdLegicDecode(const char *Cmd)
{
  int i, j, k, n;
  int segment_len = 0;
  int segment_flag = 0;
  int stamp_len = 0;
  int crc = 0;
  int wrp = 0;
  int wrc = 0;
  uint8_t data_buf[1053]; // receiver buffer
  char out_string[3076]; // just use big buffer - bad practice
  char token_type[4];
  
  // copy data from proxmark into buffer
   GetFromBigBuf(data_buf, sizeof(data_buf), 0, NULL, -1, false);
    
  // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
  
  PrintAndLog("\nCDF: System Area");
  
  PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
    data_buf[0],
    data_buf[1],
    data_buf[2],
    data_buf[3],
    data_buf[4]
  );
  
  crc = data_buf[4];
 
  switch (data_buf[5]&0x7f) {
    case 0x00 ... 0x2f:
      strncpy(token_type, "IAM",sizeof(token_type));
      break;
    case 0x30 ... 0x6f:
      strcpy(token_type, "SAM");
      break;
    case 0x70 ... 0x7f:
      strcpy(token_type, "GAM");
      break;
    default:
      strcpy(token_type, "???");
      break;
  }
  
  stamp_len = 0xfc - data_buf[6];
  
  PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
    data_buf[5],
    data_buf[6],
    token_type,
    (data_buf[5]&0x80)>>7,
    stamp_len
  );
  
  PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
    data_buf[7]&0x0f,
    (data_buf[7]&0x70)>>4,
    (data_buf[7]&0x80)>>7,
    data_buf[7],
    data_buf[8]
  );
  
  PrintAndLog("Remaining Header Area");
  
  PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
      data_buf[9],
    data_buf[10],
    data_buf[11],
    data_buf[12],
    data_buf[13],
    data_buf[14],
    data_buf[15],
    data_buf[16],
    data_buf[17],
    data_buf[18],
    data_buf[19],
    data_buf[20],
    data_buf[21]
  );
  
  PrintAndLog("\nADF: User Area");
  
  i = 22;  
  for (n=0; n<64; n++) {
    segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
    segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
    
    wrp = (data_buf[i+2]^crc);
    wrc = ((data_buf[i+3]^crc)&0x70)>>4;
    
     PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
      n,
      data_buf[i]^crc,
      data_buf[i+1]^crc,
      data_buf[i+2]^crc,
      data_buf[i+3]^crc,
      segment_flag,
      (segment_flag&0x4)>>2,
      (segment_flag&0x8)>>3,
      segment_len,
      wrp,
      wrc,
      ((data_buf[i+3]^crc)&0x80)>>7,
      (data_buf[i+4]^crc)
    );
    
    i+=5;
    
    if (wrc>0) {
      PrintAndLog("WRC protected area:");
      for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
        out_string[j+2] = ' ';
      };
        
      out_string[j] = '\0';
    
      PrintAndLog("%s", out_string);
    }
    
    if (wrp>wrc) {
      PrintAndLog("Remaining write protected area:");
      
      for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
        out_string[j+2] = ' ';
      };
    
      out_string[j] = '\0';
    
      PrintAndLog("%s", out_string);
      if((wrp-wrc) == 8) {
        sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
        PrintAndLog("%s", out_string);
      }
    }
    
    PrintAndLog("Remaining segment payload:");
    for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
      sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
      out_string[j+2] = ' ';
    };
    
    out_string[j] = '\0';
    
    PrintAndLog("%s", out_string);
    
    // end with last segment
    if (segment_flag & 0x8)
      return 0;
  };
  return 0;
}

int CmdLegicRFRead(const char *Cmd)
{
  int byte_count=0,offset=0;
  sscanf(Cmd, "%i %i", &offset, &byte_count);
  if(byte_count == 0) byte_count = -1;
  if(byte_count + offset > 1024) byte_count = 1024 - offset;
  UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
  SendCommand(&c);
  return 0;
}

int CmdLegicLoad(const char *Cmd)
{
	char filename[FILE_PATH_SIZE] = {0x00};
	int len = 0;
	
	if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
		PrintAndLog("It loads datasamples from the file `filename`");
		PrintAndLog("Usage:  hf legic load <file name>");
		PrintAndLog(" sample: hf legic load filename");
		return 0;
	}

	len = strlen(Cmd);	
	if (len > FILE_PATH_SIZE) {
		PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
		return 0;
	}
	memcpy(filename, Cmd, len);

    FILE *f = fopen(filename, "r");
    if(!f) {
        PrintAndLog("couldn't open '%s'", Cmd);
        return -1;
    }
    char line[80]; int offset = 0; unsigned int data[8];
    while(fgets(line, sizeof(line), f)) {
        int res = sscanf(line, "%x %x %x %x %x %x %x %x", 
            &data[0], &data[1], &data[2], &data[3],
            &data[4], &data[5], &data[6], &data[7]);
        if(res != 8) {
          PrintAndLog("Error: could not read samples");
          fclose(f);
          return -1;
        }
        UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 1, 0}};
        int j; for(j = 0; j < 8; j++) {
            c.d.asBytes[j] = data[j];
        }
        SendCommand(&c);
        WaitForResponse(CMD_ACK, NULL);
        offset += 8;
    }
    fclose(f);
    PrintAndLog("loaded %u samples", offset);
    return 0;
}

int CmdLegicSave(const char *Cmd)
{
  int requested = 1024;
  int offset = 0;
  int delivered = 0;
  char filename[FILE_PATH_SIZE];
  uint8_t got[1024];
  
  sscanf(Cmd, " %s %i %i", filename, &requested, &offset);

  /* If no length given save entire legic read buffer */
  /* round up to nearest 8 bytes so the saved data can be used with legicload */
  if (requested == 0) {
    requested = 1024;
  }
  if (requested % 8 != 0) {
    int remainder = requested % 8;
    requested = requested + 8 - remainder;
  }
  if (offset + requested > sizeof(got)) {
    PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
    return 0;
  }
  
  FILE *f = fopen(filename, "w");
  if(!f) {
    PrintAndLog("couldn't open '%s'", Cmd+1);
    return -1;
  }

  GetFromBigBuf(got, requested, offset, NULL, -1, false);

  for (int j = 0; j < requested; j += 8) {
    fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
      got[j+0],
      got[j+1],
      got[j+2],
      got[j+3],
      got[j+4],
      got[j+5],
      got[j+6],
      got[j+7]
    );
    delivered += 8;
    if (delivered >= requested)
      break;
  }

  fclose(f);
  PrintAndLog("saved %u samples", delivered);
  return 0;
}

int CmdLegicRfSim(const char *Cmd)
{
   UsbCommand c={CMD_SIMULATE_TAG_LEGIC_RF};
   c.arg[0] = 6;
   c.arg[1] = 3;
   c.arg[2] = 0;
   sscanf(Cmd, " %" SCNi64 " %" SCNi64 " %" SCNi64, &c.arg[0], &c.arg[1], &c.arg[2]);
   SendCommand(&c);
   return 0;
}

int CmdLegicRfWrite(const char *Cmd)
{
    UsbCommand c={CMD_WRITER_LEGIC_RF};
    int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64, &c.arg[0], &c.arg[1]);
	if(res != 2) {
		PrintAndLog("Please specify the offset and length as two hex strings");
        return -1;
    }
    SendCommand(&c);
    return 0;
}

int CmdLegicRfFill(const char *Cmd)
{
    UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
    int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64 " 0x%" SCNx64, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
    if(res != 3) {
        PrintAndLog("Please specify the offset, length and value as two hex strings");
        return -1;
    }

    int i;
    UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 1, 0}};
    for(i = 0; i < 48; i++) {
      c.d.asBytes[i] = cmd.arg[2];
    }
    for(i = 0; i < 22; i++) {
      c.arg[0] = i*48;
      SendCommand(&c);
      WaitForResponse(CMD_ACK,NULL);
    }
    SendCommand(&cmd);
    return 0;
 }
Commit	Line	Data
a553f267	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
	3	//
	4	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	5	// at your option, any later version. See the LICENSE.txt file for the text of
	6	// the license.
	7	//-----------------------------------------------------------------------------
	8	// High frequency Legic commands
	9	//-----------------------------------------------------------------------------
	10
8e220a91	11	#include <stdio.h>
8e220a91	12	#include <string.h>
43534cba	13	#include <inttypes.h>
902cb3c0	14	#include "proxmark3.h"
41dab153	15	#include "ui.h"
7fe9b0b7	16	#include "cmdparser.h"
7fe9b0b7	17	#include "cmdhflegic.h"
669c1b80	18	#include "cmdmain.h"
31d1caa5	19	#include "util.h"
7fe9b0b7	20	static int CmdHelp(const char *Cmd);
7fe9b0b7	21
7fe9b0b7	22	static command_t CommandTable[] =
	23	{
	24	{"help", CmdHelp, 1, "This help"},
669c1b80	25	{"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
41dab153	26	{"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
3612a8a8	27	{"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
	28	{"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
	29	{"sim", CmdLegicRfSim, 0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
	30	{"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
	31	{"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
7fe9b0b7	32	{NULL, NULL, 0, NULL}
	33	};
	34
	35	int CmdHFLegic(const char *Cmd)
	36	{
	37	CmdsParse(CommandTable, Cmd);
	38	return 0;
	39	}
	40
	41	int CmdHelp(const char *Cmd)
	42	{
	43	CmdsHelp(CommandTable);
	44	return 0;
	45	}
669c1b80	46
	47	/*
	48	* Output BigBuf and deobfuscate LEGIC RF tag data.
	49	* This is based on information given in the talk held
	50	* by Henryk Ploetz and Karsten Nohl at 26c3
669c1b80	51	*/
	52	int CmdLegicDecode(const char *Cmd)
	53	{
4961e292	54	int i, j, k, n;
669c1b80	55	int segment_len = 0;
	56	int segment_flag = 0;
	57	int stamp_len = 0;
	58	int crc = 0;
	59	int wrp = 0;
	60	int wrc = 0;
bf824347	61	uint8_t data_buf[1053]; // receiver buffer
669c1b80	62	char out_string[3076]; // just use big buffer - bad practice
669c1b80	63	char token_type[4];
669c1b80	64
669c1b80	65	// copy data from proxmark into buffer
babca445	66	GetFromBigBuf(data_buf, sizeof(data_buf), 0, NULL, -1, false);
669c1b80	67
	68	// Output CDF System area (9 bytes) plus remaining header area (12 bytes)
	69
	70	PrintAndLog("\nCDF: System Area");
	71
	72	PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
	73	data_buf[0],
	74	data_buf[1],
	75	data_buf[2],
	76	data_buf[3],
	77	data_buf[4]
	78	);
	79
	80	crc = data_buf[4];
	81
	82	switch (data_buf[5]&0x7f) {
	83	case 0x00 ... 0x2f:
	84	strncpy(token_type, "IAM",sizeof(token_type));
	85	break;
	86	case 0x30 ... 0x6f:
	87	strcpy(token_type, "SAM");
	88	break;
	89	case 0x70 ... 0x7f:
	90	strcpy(token_type, "GAM");
	91	break;
	92	default:
	93	strcpy(token_type, "???");
	94	break;
	95	}
	96
	97	stamp_len = 0xfc - data_buf[6];
	98
	99	PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
	100	data_buf[5],
	101	data_buf[6],
	102	token_type,
	103	(data_buf[5]&0x80)>>7,
	104	stamp_len
	105	);
	106
	107	PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
	108	data_buf[7]&0x0f,
	109	(data_buf[7]&0x70)>>4,
	110	(data_buf[7]&0x80)>>7,
	111	data_buf[7],
	112	data_buf[8]
	113	);
	114
	115	PrintAndLog("Remaining Header Area");
	116
	117	PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
	118	data_buf[9],
	119	data_buf[10],
	120	data_buf[11],
	121	data_buf[12],
	122	data_buf[13],
	123	data_buf[14],
	124	data_buf[15],
	125	data_buf[16],
	126	data_buf[17],
	127	data_buf[18],
	128	data_buf[19],
	129	data_buf[20],
	130	data_buf[21]
131	);
132
133	PrintAndLog("\nADF: User Area");
134
41dab153	135	i = 22;
669c1b80	136	for (n=0; n<64; n++) {
	137	segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
	138	segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
	139
	140	wrp = (data_buf[i+2]^crc);
	141	wrc = ((data_buf[i+3]^crc)&0x70)>>4;
	142
	143	PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
	144	n,
	145	data_buf[i]^crc,
	146	data_buf[i+1]^crc,
	147	data_buf[i+2]^crc,
	148	data_buf[i+3]^crc,
	149	segment_flag,
	150	(segment_flag&0x4)>>2,
	151	(segment_flag&0x8)>>3,
	152	segment_len,
	153	wrp,
	154	wrc,
	155	((data_buf[i+3]^crc)&0x80)>>7,
	156	(data_buf[i+4]^crc)
	157	);
	158
	159	i+=5;
	160
	161	if (wrc>0) {
	162	PrintAndLog("WRC protected area:");
31332265	163	for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	164	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	165	out_string[j+2] = ' ';
	166	};
	167
	168	out_string[j] = '\0';
	169
	170	PrintAndLog("%s", out_string);
	171	}
	172
	173	if (wrp>wrc) {
	174	PrintAndLog("Remaining write protected area:");
	175
31332265	176	for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	177	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	178	out_string[j+2] = ' ';
	179	};
	180
	181	out_string[j] = '\0';
	182
	183	PrintAndLog("%s", out_string);
	184	if((wrp-wrc) == 8) {
	185	sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
	186	PrintAndLog("%s", out_string);
	187	}
	188	}
	189
	190	PrintAndLog("Remaining segment payload:");
31332265	191	for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	192	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	193	out_string[j+2] = ' ';
	194	};
	195
	196	out_string[j] = '\0';
	197
	198	PrintAndLog("%s", out_string);
	199
	200	// end with last segment
	201	if (segment_flag & 0x8)
	202	return 0;
	203	};
	204	return 0;
	205	}
41dab153	206
	207	int CmdLegicRFRead(const char *Cmd)
	208	{
	209	int byte_count=0,offset=0;
	210	sscanf(Cmd, "%i %i", &offset, &byte_count);
a2b1414f	211	if(byte_count == 0) byte_count = -1;
a2b1414f	212	if(byte_count + offset > 1024) byte_count = 1024 - offset;
41dab153	213	UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
	214	SendCommand(&c);
	215	return 0;
	216	}
3612a8a8	217
	218	int CmdLegicLoad(const char *Cmd)
	219	{
b915fda3	220	char filename[FILE_PATH_SIZE] = {0x00};
	221	int len = 0;
	222
	223	if (param_getchar(Cmd, 0) == 'h' \|\| param_getchar(Cmd, 0)== 0x00) {
	224	PrintAndLog("It loads datasamples from the file `filename`");
	225	PrintAndLog("Usage: hf legic load <file name>");
	226	PrintAndLog(" sample: hf legic load filename");
	227	return 0;
	228	}
	229
	230	len = strlen(Cmd);
	231	if (len > FILE_PATH_SIZE) {
	232	PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
	233	return 0;
	234	}
	235	memcpy(filename, Cmd, len);
	236
	237	FILE *f = fopen(filename, "r");
3612a8a8	238	if(!f) {
	239	PrintAndLog("couldn't open '%s'", Cmd);
	240	return -1;
	241	}
	242	char line[80]; int offset = 0; unsigned int data[8];
	243	while(fgets(line, sizeof(line), f)) {
	244	int res = sscanf(line, "%x %x %x %x %x %x %x %x",
	245	&data[0], &data[1], &data[2], &data[3],
	246	&data[4], &data[5], &data[6], &data[7]);
	247	if(res != 8) {
	248	PrintAndLog("Error: could not read samples");
	249	fclose(f);
	250	return -1;
	251	}
8c8317a5	252	UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 1, 0}};
3612a8a8	253	int j; for(j = 0; j < 8; j++) {
	254	c.d.asBytes[j] = data[j];
	255	}
	256	SendCommand(&c);
902cb3c0	257	WaitForResponse(CMD_ACK, NULL);
3612a8a8	258	offset += 8;
	259	}
	260	fclose(f);
	261	PrintAndLog("loaded %u samples", offset);
	262	return 0;
	263	}
	264
	265	int CmdLegicSave(const char *Cmd)
	266	{
3612a8a8	267	int requested = 1024;
3612a8a8	268	int offset = 0;
4961e292	269	int delivered = 0;
b915fda3	270	char filename[FILE_PATH_SIZE];
4961e292	271	uint8_t got[1024];
4961e292	272
3612a8a8	273	sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
3612a8a8	274
4961e292	275	/* If no length given save entire legic read buffer */
4961e292	276	/* round up to nearest 8 bytes so the saved data can be used with legicload */
3612a8a8	277	if (requested == 0) {
4961e292	278	requested = 1024;
3612a8a8	279	}
4961e292	280	if (requested % 8 != 0) {
	281	int remainder = requested % 8;
	282	requested = requested + 8 - remainder;
	283	}
4961e292	284	if (offset + requested > sizeof(got)) {
	285	PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
	286	return 0;
	287	}
	288
3612a8a8	289	FILE *f = fopen(filename, "w");
	290	if(!f) {
	291	PrintAndLog("couldn't open '%s'", Cmd+1);
	292	return -1;
	293	}
	294
babca445	295	GetFromBigBuf(got, requested, offset, NULL, -1, false);
4961e292	296
	297	for (int j = 0; j < requested; j += 8) {
	298	fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
	299	got[j+0],
	300	got[j+1],
	301	got[j+2],
	302	got[j+3],
	303	got[j+4],
	304	got[j+5],
	305	got[j+6],
	306	got[j+7]
	307	);
	308	delivered += 8;
3612a8a8	309	if (delivered >= requested)
	310	break;
	311	}
	312
	313	fclose(f);
	314	PrintAndLog("saved %u samples", delivered);
	315	return 0;
	316	}
	317
	318	int CmdLegicRfSim(const char *Cmd)
	319	{
	320	UsbCommand c={CMD_SIMULATE_TAG_LEGIC_RF};
	321	c.arg[0] = 6;
	322	c.arg[1] = 3;
	323	c.arg[2] = 0;
43534cba	324	sscanf(Cmd, " %" SCNi64 " %" SCNi64 " %" SCNi64, &c.arg[0], &c.arg[1], &c.arg[2]);
3612a8a8	325	SendCommand(&c);
	326	return 0;
	327	}
	328
	329	int CmdLegicRfWrite(const char *Cmd)
	330	{
	331	UsbCommand c={CMD_WRITER_LEGIC_RF};
43534cba	332	int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64, &c.arg[0], &c.arg[1]);
3612a8a8	333	if(res != 2) {
	334	PrintAndLog("Please specify the offset and length as two hex strings");
	335	return -1;
	336	}
	337	SendCommand(&c);
	338	return 0;
	339	}
	340
	341	int CmdLegicRfFill(const char *Cmd)
	342	{
	343	UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
43534cba	344	int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64 " 0x%" SCNx64, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
3612a8a8	345	if(res != 3) {
	346	PrintAndLog("Please specify the offset, length and value as two hex strings");
	347	return -1;
	348	}
	349
	350	int i;
8c8317a5	351	UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 1, 0}};
3612a8a8	352	for(i = 0; i < 48; i++) {
	353	c.d.asBytes[i] = cmd.arg[2];
	354	}
	355	for(i = 0; i < 22; i++) {
	356	c.arg[0] = i*48;
	357	SendCommand(&c);
902cb3c0	358	WaitForResponse(CMD_ACK,NULL);
3612a8a8	359	}
	360	SendCommand(&cmd);
	361	return 0;
	362	}
	363