[proxmark3-svn] / client / cmdhflegic.c

//-----------------------------------------------------------------------------
// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// High frequency Legic commands
//-----------------------------------------------------------------------------

#include <stdio.h>
#include <string.h>
#include "proxusb.h"
#include "data.h"
#include "ui.h"
#include "cmdparser.h"
#include "cmdhflegic.h"
#include "cmdmain.h"

static int CmdHelp(const char *Cmd);

static command_t CommandTable[] = 
{
  {"help",        CmdHelp,        1, "This help"},
  {"decode",      CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
  {"reader",      CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
  {NULL, NULL, 0, NULL}
};

int CmdHFLegic(const char *Cmd)
{
  CmdsParse(CommandTable, Cmd);
  return 0;
}

int CmdHelp(const char *Cmd)
{
  CmdsHelp(CommandTable);
  return 0;
}

/*
 *  Output BigBuf and deobfuscate LEGIC RF tag data.
 *   This is based on information given in the talk held
 *  by Henryk Ploetz and Karsten Nohl at 26c3
 */
int CmdLegicDecode(const char *Cmd)
{
  int h, i, j, k, n;
  int segment_len = 0;
  int segment_flag = 0;
  int stamp_len = 0;
  int crc = 0;
  int wrp = 0;
  int wrc = 0;
  int data_buf[1032]; // receiver buffer
  char out_string[3076]; // just use big buffer - bad practice
  char token_type[4];
  int delivered = 0;

  h = 0;
  
  // copy data from proxmark into buffer
  for (i = 0; i < 256; i += 12, h += 48) {
    UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}};
    SendCommand(&c);
    WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K);
    
    for (j = 0; j < 48; j += 8) {
      for (k = 0; k < 8; k++) {
        data_buf[h+j+k] = sample_buf[j+k];
      }
      delivered += 8;
      if (delivered >= 1024)
        break;
    }
  }
    
  // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
  
  PrintAndLog("\nCDF: System Area");
  
  PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
    data_buf[0],
    data_buf[1],
    data_buf[2],
    data_buf[3],
    data_buf[4]
  );
  
  crc = data_buf[4];
 
  switch (data_buf[5]&0x7f) {
    case 0x00 ... 0x2f:
      strncpy(token_type, "IAM",sizeof(token_type));
      break;
    case 0x30 ... 0x6f:
      strcpy(token_type, "SAM");
      break;
    case 0x70 ... 0x7f:
      strcpy(token_type, "GAM");
      break;
    default:
      strcpy(token_type, "???");
      break;
  }
  
  stamp_len = 0xfc - data_buf[6];
  
  PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
    data_buf[5],
    data_buf[6],
    token_type,
    (data_buf[5]&0x80)>>7,
    stamp_len
  );
  
  PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
    data_buf[7]&0x0f,
    (data_buf[7]&0x70)>>4,
    (data_buf[7]&0x80)>>7,
    data_buf[7],
    data_buf[8]
  );
  
  PrintAndLog("Remaining Header Area");
  
  PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
      data_buf[9],
    data_buf[10],
    data_buf[11],
    data_buf[12],
    data_buf[13],
    data_buf[14],
    data_buf[15],
    data_buf[16],
    data_buf[17],
    data_buf[18],
    data_buf[19],
    data_buf[20],
    data_buf[21]
  );
  
  PrintAndLog("\nADF: User Area");
  
  i = 22;  
  for (n=0; n<64; n++) {
    segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
    segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
    
    wrp = (data_buf[i+2]^crc);
    wrc = ((data_buf[i+3]^crc)&0x70)>>4;
    
     PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
      n,
      data_buf[i]^crc,
      data_buf[i+1]^crc,
      data_buf[i+2]^crc,
      data_buf[i+3]^crc,
      segment_flag,
      (segment_flag&0x4)>>2,
      (segment_flag&0x8)>>3,
      segment_len,
      wrp,
      wrc,
      ((data_buf[i+3]^crc)&0x80)>>7,
      (data_buf[i+4]^crc)
    );
    
    i+=5;
    
    if (wrc>0) {
      PrintAndLog("WRC protected area:");
      for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
        out_string[j+2] = ' ';
      };
        
      out_string[j] = '\0';
    
      PrintAndLog("%s", out_string);
    }
    
    if (wrp>wrc) {
      PrintAndLog("Remaining write protected area:");
      
      for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
        out_string[j+2] = ' ';
      };
    
      out_string[j] = '\0';
    
      PrintAndLog("%s", out_string);
      if((wrp-wrc) == 8) {
        sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
        PrintAndLog("%s", out_string);
      }
    }
    
    PrintAndLog("Remaining segment payload:");
    for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
      sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
      out_string[j+2] = ' ';
    };
    
    out_string[j] = '\0';
    
    PrintAndLog("%s", out_string);
    
    // end with last segment
    if (segment_flag & 0x8)
      return 0;
  };
  return 0;
}

int CmdLegicRFRead(const char *Cmd)
{
  int byte_count=0,offset=0;
  sscanf(Cmd, "%i %i", &offset, &byte_count);
  if(byte_count == 0) byte_count = -1;
  if(byte_count + offset > 1024) byte_count = 1024 - offset;
  UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
  SendCommand(&c);
  return 0;
}
Commit	Line	Data
a553f267	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
	3	//
	4	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	5	// at your option, any later version. See the LICENSE.txt file for the text of
	6	// the license.
	7	//-----------------------------------------------------------------------------
	8	// High frequency Legic commands
	9	//-----------------------------------------------------------------------------
	10
8e220a91	11	#include <stdio.h>
8e220a91	12	#include <string.h>
7fe9b0b7	13	#include "proxusb.h"
41dab153	14	#include "data.h"
41dab153	15	#include "ui.h"
7fe9b0b7	16	#include "cmdparser.h"
7fe9b0b7	17	#include "cmdhflegic.h"
669c1b80	18	#include "cmdmain.h"
7fe9b0b7	19
	20	static int CmdHelp(const char *Cmd);
	21
7fe9b0b7	22	static command_t CommandTable[] =
	23	{
	24	{"help", CmdHelp, 1, "This help"},
669c1b80	25	{"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
41dab153	26	{"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
7fe9b0b7	27	{NULL, NULL, 0, NULL}
	28	};
	29
	30	int CmdHFLegic(const char *Cmd)
	31	{
	32	CmdsParse(CommandTable, Cmd);
	33	return 0;
	34	}
	35
	36	int CmdHelp(const char *Cmd)
	37	{
	38	CmdsHelp(CommandTable);
	39	return 0;
	40	}
669c1b80	41
	42	/*
	43	* Output BigBuf and deobfuscate LEGIC RF tag data.
	44	* This is based on information given in the talk held
	45	* by Henryk Ploetz and Karsten Nohl at 26c3
669c1b80	46	*/
	47	int CmdLegicDecode(const char *Cmd)
	48	{
	49	int h, i, j, k, n;
	50	int segment_len = 0;
	51	int segment_flag = 0;
	52	int stamp_len = 0;
	53	int crc = 0;
	54	int wrp = 0;
	55	int wrc = 0;
	56	int data_buf[1032]; // receiver buffer
	57	char out_string[3076]; // just use big buffer - bad practice
	58	char token_type[4];
	59	int delivered = 0;
	60
	61	h = 0;
	62
	63	// copy data from proxmark into buffer
	64	for (i = 0; i < 256; i += 12, h += 48) {
	65	UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}};
	66	SendCommand(&c);
	67	WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K);
	68
	69	for (j = 0; j < 48; j += 8) {
	70	for (k = 0; k < 8; k++) {
	71	data_buf[h+j+k] = sample_buf[j+k];
	72	}
	73	delivered += 8;
	74	if (delivered >= 1024)
	75	break;
	76	}
	77	}
	78
	79	// Output CDF System area (9 bytes) plus remaining header area (12 bytes)
	80
	81	PrintAndLog("\nCDF: System Area");
	82
	83	PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
	84	data_buf[0],
	85	data_buf[1],
	86	data_buf[2],
	87	data_buf[3],
	88	data_buf[4]
	89	);
	90
	91	crc = data_buf[4];
	92
	93	switch (data_buf[5]&0x7f) {
	94	case 0x00 ... 0x2f:
	95	strncpy(token_type, "IAM",sizeof(token_type));
	96	break;
	97	case 0x30 ... 0x6f:
	98	strcpy(token_type, "SAM");
	99	break;
	100	case 0x70 ... 0x7f:
	101	strcpy(token_type, "GAM");
	102	break;
	103	default:
	104	strcpy(token_type, "???");
	105	break;
	106	}
	107
	108	stamp_len = 0xfc - data_buf[6];
	109
110	PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
111	data_buf[5],
112	data_buf[6],
113	token_type,
114	(data_buf[5]&0x80)>>7,
115	stamp_len
116	);
117
118	PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
119	data_buf[7]&0x0f,
120	(data_buf[7]&0x70)>>4,
121	(data_buf[7]&0x80)>>7,
122	data_buf[7],
123	data_buf[8]
124	);
125
126	PrintAndLog("Remaining Header Area");
127
128	PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
129	data_buf[9],
130	data_buf[10],
131	data_buf[11],
132	data_buf[12],
133	data_buf[13],
134	data_buf[14],
135	data_buf[15],
136	data_buf[16],
137	data_buf[17],
138	data_buf[18],
139	data_buf[19],
140	data_buf[20],
141	data_buf[21]
142	);
143
144	PrintAndLog("\nADF: User Area");
145
41dab153	146	i = 22;
669c1b80	147	for (n=0; n<64; n++) {
	148	segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
	149	segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
	150
	151	wrp = (data_buf[i+2]^crc);
	152	wrc = ((data_buf[i+3]^crc)&0x70)>>4;
	153
	154	PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
	155	n,
	156	data_buf[i]^crc,
	157	data_buf[i+1]^crc,
	158	data_buf[i+2]^crc,
	159	data_buf[i+3]^crc,
	160	segment_flag,
	161	(segment_flag&0x4)>>2,
	162	(segment_flag&0x8)>>3,
	163	segment_len,
	164	wrp,
	165	wrc,
	166	((data_buf[i+3]^crc)&0x80)>>7,
	167	(data_buf[i+4]^crc)
	168	);
	169
	170	i+=5;
	171
	172	if (wrc>0) {
	173	PrintAndLog("WRC protected area:");
31332265	174	for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	175	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	176	out_string[j+2] = ' ';
	177	};
	178
	179	out_string[j] = '\0';
	180
	181	PrintAndLog("%s", out_string);
	182	}
	183
	184	if (wrp>wrc) {
	185	PrintAndLog("Remaining write protected area:");
	186
31332265	187	for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	188	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	189	out_string[j+2] = ' ';
	190	};
	191
	192	out_string[j] = '\0';
	193
	194	PrintAndLog("%s", out_string);
	195	if((wrp-wrc) == 8) {
	196	sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
	197	PrintAndLog("%s", out_string);
	198	}
	199	}
	200
	201	PrintAndLog("Remaining segment payload:");
31332265	202	for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	203	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	204	out_string[j+2] = ' ';
	205	};
	206
	207	out_string[j] = '\0';
	208
	209	PrintAndLog("%s", out_string);
	210
	211	// end with last segment
	212	if (segment_flag & 0x8)
	213	return 0;
	214	};
	215	return 0;
	216	}
41dab153	217
	218	int CmdLegicRFRead(const char *Cmd)
	219	{
	220	int byte_count=0,offset=0;
	221	sscanf(Cmd, "%i %i", &offset, &byte_count);
a2b1414f	222	if(byte_count == 0) byte_count = -1;
a2b1414f	223	if(byte_count + offset > 1024) byte_count = 1024 - offset;
41dab153	224	UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
	225	SendCommand(&c);
	226	return 0;
	227	}