[proxmark3-svn] / client / cmdhflegic.c

//-----------------------------------------------------------------------------
// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// High frequency Legic commands
//-----------------------------------------------------------------------------

#include <stdio.h>
#include <string.h>
#include "proxmark3.h"
#include "data.h"
#include "ui.h"
#include "cmdparser.h"
#include "cmdhflegic.h"
#include "cmdmain.h"
#include "util.h"
static int CmdHelp(const char *Cmd);

static command_t CommandTable[] = 
{
  {"help",        CmdHelp,        1, "This help"},
  {"decode",      CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
  {"reader",      CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
  {"save",        CmdLegicSave,   0, "<filename> [<length>] -- Store samples"},
  {"load",        CmdLegicLoad,   0, "<filename> -- Restore samples"},
  {"sim",         CmdLegicRfSim,  0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
  {"write",       CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
  {"fill",        CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
  {NULL, NULL, 0, NULL}
};

int CmdHFLegic(const char *Cmd)
{
  CmdsParse(CommandTable, Cmd);
  return 0;
}

int CmdHelp(const char *Cmd)
{
  CmdsHelp(CommandTable);
  return 0;
}

/*
 *  Output BigBuf and deobfuscate LEGIC RF tag data.
 *   This is based on information given in the talk held
 *  by Henryk Ploetz and Karsten Nohl at 26c3
 */
int CmdLegicDecode(const char *Cmd)
{
  int i, j, k, n;
  int segment_len = 0;
  int segment_flag = 0;
  int stamp_len = 0;
  int crc = 0;
  int wrp = 0;
  int wrc = 0;
  uint8_t data_buf[1024]; // receiver buffer
  char out_string[3076]; // just use big buffer - bad practice
  char token_type[4];
  
  // copy data from proxmark into buffer
   GetFromBigBuf(data_buf,sizeof(data_buf),0);
   WaitForResponse(CMD_ACK,NULL);
    
  // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
  
  PrintAndLog("\nCDF: System Area");
  
  PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
    data_buf[0],
    data_buf[1],
    data_buf[2],
    data_buf[3],
    data_buf[4]
  );
  
  crc = data_buf[4];
 
  switch (data_buf[5]&0x7f) {
    case 0x00 ... 0x2f:
      strncpy(token_type, "IAM",sizeof(token_type));
      break;
    case 0x30 ... 0x6f:
      strcpy(token_type, "SAM");
      break;
    case 0x70 ... 0x7f:
      strcpy(token_type, "GAM");
      break;
    default:
      strcpy(token_type, "???");
      break;
  }
  
  stamp_len = 0xfc - data_buf[6];
  
  PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
    data_buf[5],
    data_buf[6],
    token_type,
    (data_buf[5]&0x80)>>7,
    stamp_len
  );
  
  PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
    data_buf[7]&0x0f,
    (data_buf[7]&0x70)>>4,
    (data_buf[7]&0x80)>>7,
    data_buf[7],
    data_buf[8]
  );
  
  PrintAndLog("Remaining Header Area");
  
  PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
      data_buf[9],
    data_buf[10],
    data_buf[11],
    data_buf[12],
    data_buf[13],
    data_buf[14],
    data_buf[15],
    data_buf[16],
    data_buf[17],
    data_buf[18],
    data_buf[19],
    data_buf[20],
    data_buf[21]
  );
  
  PrintAndLog("\nADF: User Area");
  
  i = 22;  
  for (n=0; n<64; n++) {
    segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
    segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
    
    wrp = (data_buf[i+2]^crc);
    wrc = ((data_buf[i+3]^crc)&0x70)>>4;
    
     PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
      n,
      data_buf[i]^crc,
      data_buf[i+1]^crc,
      data_buf[i+2]^crc,
      data_buf[i+3]^crc,
      segment_flag,
      (segment_flag&0x4)>>2,
      (segment_flag&0x8)>>3,
      segment_len,
      wrp,
      wrc,
      ((data_buf[i+3]^crc)&0x80)>>7,
      (data_buf[i+4]^crc)
    );
    
    i+=5;
    
    if (wrc>0) {
      PrintAndLog("WRC protected area:");
      for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
        out_string[j+2] = ' ';
      };
        
      out_string[j] = '\0';
    
      PrintAndLog("%s", out_string);
    }
    
    if (wrp>wrc) {
      PrintAndLog("Remaining write protected area:");
      
      for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
        out_string[j+2] = ' ';
      };
    
      out_string[j] = '\0';
    
      PrintAndLog("%s", out_string);
      if((wrp-wrc) == 8) {
        sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
        PrintAndLog("%s", out_string);
      }
    }
    
    PrintAndLog("Remaining segment payload:");
    for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
      sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
      out_string[j+2] = ' ';
    };
    
    out_string[j] = '\0';
    
    PrintAndLog("%s", out_string);
    
    // end with last segment
    if (segment_flag & 0x8)
      return 0;
  };
  return 0;
}

int CmdLegicRFRead(const char *Cmd)
{
  int byte_count=0,offset=0;
  sscanf(Cmd, "%i %i", &offset, &byte_count);
  if(byte_count == 0) byte_count = -1;
  if(byte_count + offset > 1024) byte_count = 1024 - offset;
  UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
  SendCommand(&c);
  return 0;
}

int CmdLegicLoad(const char *Cmd)
{
	char filename[FILE_PATH_SIZE] = {0x00};
	int len = 0;
	
	if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
		PrintAndLog("It loads datasamples from the file `filename`");
		PrintAndLog("Usage:  hf legic load <file name>");
		PrintAndLog(" sample: hf legic load filename");
		return 0;
	}

	len = strlen(Cmd);	
	if (len > FILE_PATH_SIZE) {
		PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
		return 0;
	}
	memcpy(filename, Cmd, len);

    FILE *f = fopen(filename, "r");
    if(!f) {
        PrintAndLog("couldn't open '%s'", Cmd);
        return -1;
    }
    char line[80]; int offset = 0; unsigned int data[8];
    while(fgets(line, sizeof(line), f)) {
        int res = sscanf(line, "%x %x %x %x %x %x %x %x", 
            &data[0], &data[1], &data[2], &data[3],
            &data[4], &data[5], &data[6], &data[7]);
        if(res != 8) {
          PrintAndLog("Error: could not read samples");
          fclose(f);
          return -1;
        }
        UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
        int j; for(j = 0; j < 8; j++) {
            c.d.asBytes[j] = data[j];
        }
        SendCommand(&c);
        WaitForResponse(CMD_ACK, NULL);
        offset += 8;
    }
    fclose(f);
    PrintAndLog("loaded %u samples", offset);
    return 0;
}

int CmdLegicSave(const char *Cmd)
{
  int requested = 1024;
  int offset = 0;
  int delivered = 0;
  char filename[FILE_PATH_SIZE];
  uint8_t got[1024];
  
  sscanf(Cmd, " %s %i %i", filename, &requested, &offset);

  /* If no length given save entire legic read buffer */
  /* round up to nearest 8 bytes so the saved data can be used with legicload */
  if (requested == 0) {
    requested = 1024;
  }
  if (requested % 8 != 0) {
    int remainder = requested % 8;
    requested = requested + 8 - remainder;
  }
  if (offset + requested > sizeof(got)) {
    PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
    return 0;
  }
  
  FILE *f = fopen(filename, "w");
  if(!f) {
    PrintAndLog("couldn't open '%s'", Cmd+1);
    return -1;
  }

  GetFromBigBuf(got,requested,offset);
  WaitForResponse(CMD_ACK,NULL);

  for (int j = 0; j < requested; j += 8) {
    fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
      got[j+0],
      got[j+1],
      got[j+2],
      got[j+3],
      got[j+4],
      got[j+5],
      got[j+6],
      got[j+7]
    );
    delivered += 8;
    if (delivered >= requested)
      break;
  }

  fclose(f);
  PrintAndLog("saved %u samples", delivered);
  return 0;
}

int CmdLegicRfSim(const char *Cmd)
{
   UsbCommand c={CMD_SIMULATE_TAG_LEGIC_RF};
   c.arg[0] = 6;
   c.arg[1] = 3;
   c.arg[2] = 0;
   sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
   SendCommand(&c);
   return 0;
}

int CmdLegicRfWrite(const char *Cmd)
{
    UsbCommand c={CMD_WRITER_LEGIC_RF};
    int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
	if(res != 2) {
		PrintAndLog("Please specify the offset and length as two hex strings");
        return -1;
    }
    SendCommand(&c);
    return 0;
}

int CmdLegicRfFill(const char *Cmd)
{
    UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
    int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
    if(res != 3) {
        PrintAndLog("Please specify the offset, length and value as two hex strings");
        return -1;
    }

    int i;
    UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
    for(i = 0; i < 48; i++) {
      c.d.asBytes[i] = cmd.arg[2];
    }
    for(i = 0; i < 22; i++) {
      c.arg[0] = i*48;
      SendCommand(&c);
      WaitForResponse(CMD_ACK,NULL);
    }
    SendCommand(&cmd);
    return 0;
 }
Commit	Line	Data
a553f267	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
	3	//
	4	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	5	// at your option, any later version. See the LICENSE.txt file for the text of
	6	// the license.
	7	//-----------------------------------------------------------------------------
	8	// High frequency Legic commands
	9	//-----------------------------------------------------------------------------
	10
8e220a91	11	#include <stdio.h>
8e220a91	12	#include <string.h>
902cb3c0	13	#include "proxmark3.h"
41dab153	14	#include "data.h"
41dab153	15	#include "ui.h"
7fe9b0b7	16	#include "cmdparser.h"
7fe9b0b7	17	#include "cmdhflegic.h"
669c1b80	18	#include "cmdmain.h"
31d1caa5	19	#include "util.h"
7fe9b0b7	20	static int CmdHelp(const char *Cmd);
7fe9b0b7	21
7fe9b0b7	22	static command_t CommandTable[] =
	23	{
	24	{"help", CmdHelp, 1, "This help"},
669c1b80	25	{"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
41dab153	26	{"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
3612a8a8	27	{"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
	28	{"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
	29	{"sim", CmdLegicRfSim, 0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
	30	{"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
	31	{"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
7fe9b0b7	32	{NULL, NULL, 0, NULL}
	33	};
	34
	35	int CmdHFLegic(const char *Cmd)
	36	{
	37	CmdsParse(CommandTable, Cmd);
	38	return 0;
	39	}
	40
	41	int CmdHelp(const char *Cmd)
	42	{
	43	CmdsHelp(CommandTable);
	44	return 0;
	45	}
669c1b80	46
	47	/*
	48	* Output BigBuf and deobfuscate LEGIC RF tag data.
	49	* This is based on information given in the talk held
	50	* by Henryk Ploetz and Karsten Nohl at 26c3
669c1b80	51	*/
	52	int CmdLegicDecode(const char *Cmd)
	53	{
4961e292	54	int i, j, k, n;
669c1b80	55	int segment_len = 0;
	56	int segment_flag = 0;
	57	int stamp_len = 0;
	58	int crc = 0;
	59	int wrp = 0;
	60	int wrc = 0;
4961e292	61	uint8_t data_buf[1024]; // receiver buffer
669c1b80	62	char out_string[3076]; // just use big buffer - bad practice
669c1b80	63	char token_type[4];
669c1b80	64
669c1b80	65	// copy data from proxmark into buffer
4961e292	66	GetFromBigBuf(data_buf,sizeof(data_buf),0);
4961e292	67	WaitForResponse(CMD_ACK,NULL);
669c1b80	68
	69	// Output CDF System area (9 bytes) plus remaining header area (12 bytes)
	70
	71	PrintAndLog("\nCDF: System Area");
	72
	73	PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
	74	data_buf[0],
	75	data_buf[1],
	76	data_buf[2],
	77	data_buf[3],
	78	data_buf[4]
	79	);
	80
	81	crc = data_buf[4];
	82
	83	switch (data_buf[5]&0x7f) {
	84	case 0x00 ... 0x2f:
	85	strncpy(token_type, "IAM",sizeof(token_type));
	86	break;
	87	case 0x30 ... 0x6f:
	88	strcpy(token_type, "SAM");
	89	break;
	90	case 0x70 ... 0x7f:
	91	strcpy(token_type, "GAM");
	92	break;
	93	default:
	94	strcpy(token_type, "???");
	95	break;
	96	}
	97
	98	stamp_len = 0xfc - data_buf[6];
	99
	100	PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
	101	data_buf[5],
	102	data_buf[6],
	103	token_type,
	104	(data_buf[5]&0x80)>>7,
	105	stamp_len
	106	);
	107
	108	PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
	109	data_buf[7]&0x0f,
	110	(data_buf[7]&0x70)>>4,
	111	(data_buf[7]&0x80)>>7,
	112	data_buf[7],
	113	data_buf[8]
	114	);
	115
	116	PrintAndLog("Remaining Header Area");
	117
	118	PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
	119	data_buf[9],
	120	data_buf[10],
	121	data_buf[11],
	122	data_buf[12],
	123	data_buf[13],
	124	data_buf[14],
	125	data_buf[15],
	126	data_buf[16],
	127	data_buf[17],
	128	data_buf[18],
	129	data_buf[19],
	130	data_buf[20],
	131	data_buf[21]
132	);
133
134	PrintAndLog("\nADF: User Area");
135
41dab153	136	i = 22;
669c1b80	137	for (n=0; n<64; n++) {
	138	segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
	139	segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
	140
	141	wrp = (data_buf[i+2]^crc);
	142	wrc = ((data_buf[i+3]^crc)&0x70)>>4;
	143
	144	PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
	145	n,
	146	data_buf[i]^crc,
	147	data_buf[i+1]^crc,
	148	data_buf[i+2]^crc,
	149	data_buf[i+3]^crc,
	150	segment_flag,
	151	(segment_flag&0x4)>>2,
	152	(segment_flag&0x8)>>3,
	153	segment_len,
	154	wrp,
	155	wrc,
	156	((data_buf[i+3]^crc)&0x80)>>7,
	157	(data_buf[i+4]^crc)
	158	);
	159
	160	i+=5;
	161
	162	if (wrc>0) {
	163	PrintAndLog("WRC protected area:");
31332265	164	for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	165	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	166	out_string[j+2] = ' ';
	167	};
	168
	169	out_string[j] = '\0';
	170
	171	PrintAndLog("%s", out_string);
	172	}
	173
	174	if (wrp>wrc) {
	175	PrintAndLog("Remaining write protected area:");
	176
31332265	177	for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	178	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	179	out_string[j+2] = ' ';
	180	};
	181
	182	out_string[j] = '\0';
	183
	184	PrintAndLog("%s", out_string);
	185	if((wrp-wrc) == 8) {
	186	sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
	187	PrintAndLog("%s", out_string);
	188	}
	189	}
	190
	191	PrintAndLog("Remaining segment payload:");
31332265	192	for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	193	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	194	out_string[j+2] = ' ';
	195	};
	196
	197	out_string[j] = '\0';
	198
	199	PrintAndLog("%s", out_string);
	200
	201	// end with last segment
	202	if (segment_flag & 0x8)
	203	return 0;
	204	};
	205	return 0;
	206	}
41dab153	207
	208	int CmdLegicRFRead(const char *Cmd)
	209	{
	210	int byte_count=0,offset=0;
	211	sscanf(Cmd, "%i %i", &offset, &byte_count);
a2b1414f	212	if(byte_count == 0) byte_count = -1;
a2b1414f	213	if(byte_count + offset > 1024) byte_count = 1024 - offset;
41dab153	214	UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
	215	SendCommand(&c);
	216	return 0;
	217	}
3612a8a8	218
	219	int CmdLegicLoad(const char *Cmd)
	220	{
b915fda3	221	char filename[FILE_PATH_SIZE] = {0x00};
	222	int len = 0;
	223
	224	if (param_getchar(Cmd, 0) == 'h' \|\| param_getchar(Cmd, 0)== 0x00) {
	225	PrintAndLog("It loads datasamples from the file `filename`");
	226	PrintAndLog("Usage: hf legic load <file name>");
	227	PrintAndLog(" sample: hf legic load filename");
	228	return 0;
	229	}
	230
	231	len = strlen(Cmd);
	232	if (len > FILE_PATH_SIZE) {
	233	PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
	234	return 0;
	235	}
	236	memcpy(filename, Cmd, len);
	237
	238	FILE *f = fopen(filename, "r");
3612a8a8	239	if(!f) {
	240	PrintAndLog("couldn't open '%s'", Cmd);
	241	return -1;
	242	}
	243	char line[80]; int offset = 0; unsigned int data[8];
	244	while(fgets(line, sizeof(line), f)) {
	245	int res = sscanf(line, "%x %x %x %x %x %x %x %x",
	246	&data[0], &data[1], &data[2], &data[3],
	247	&data[4], &data[5], &data[6], &data[7]);
	248	if(res != 8) {
	249	PrintAndLog("Error: could not read samples");
	250	fclose(f);
	251	return -1;
	252	}
	253	UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
	254	int j; for(j = 0; j < 8; j++) {
	255	c.d.asBytes[j] = data[j];
	256	}
	257	SendCommand(&c);
902cb3c0	258	WaitForResponse(CMD_ACK, NULL);
3612a8a8	259	offset += 8;
	260	}
	261	fclose(f);
	262	PrintAndLog("loaded %u samples", offset);
	263	return 0;
	264	}
	265
	266	int CmdLegicSave(const char *Cmd)
	267	{
3612a8a8	268	int requested = 1024;
3612a8a8	269	int offset = 0;
4961e292	270	int delivered = 0;
b915fda3	271	char filename[FILE_PATH_SIZE];
4961e292	272	uint8_t got[1024];
4961e292	273
3612a8a8	274	sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
3612a8a8	275
4961e292	276	/* If no length given save entire legic read buffer */
4961e292	277	/* round up to nearest 8 bytes so the saved data can be used with legicload */
3612a8a8	278	if (requested == 0) {
4961e292	279	requested = 1024;
3612a8a8	280	}
4961e292	281	if (requested % 8 != 0) {
	282	int remainder = requested % 8;
	283	requested = requested + 8 - remainder;
	284	}
4961e292	285	if (offset + requested > sizeof(got)) {
	286	PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
	287	return 0;
	288	}
	289
3612a8a8	290	FILE *f = fopen(filename, "w");
	291	if(!f) {
	292	PrintAndLog("couldn't open '%s'", Cmd+1);
	293	return -1;
	294	}
	295
4961e292	296	GetFromBigBuf(got,requested,offset);
	297	WaitForResponse(CMD_ACK,NULL);
	298
	299	for (int j = 0; j < requested; j += 8) {
	300	fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
	301	got[j+0],
	302	got[j+1],
	303	got[j+2],
	304	got[j+3],
	305	got[j+4],
	306	got[j+5],
	307	got[j+6],
	308	got[j+7]
	309	);
	310	delivered += 8;
3612a8a8	311	if (delivered >= requested)
	312	break;
	313	}
	314
	315	fclose(f);
	316	PrintAndLog("saved %u samples", delivered);
	317	return 0;
	318	}
	319
	320	int CmdLegicRfSim(const char *Cmd)
	321	{
	322	UsbCommand c={CMD_SIMULATE_TAG_LEGIC_RF};
	323	c.arg[0] = 6;
	324	c.arg[1] = 3;
	325	c.arg[2] = 0;
1a07fd51	326	sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
3612a8a8	327	SendCommand(&c);
	328	return 0;
	329	}
	330
	331	int CmdLegicRfWrite(const char *Cmd)
	332	{
	333	UsbCommand c={CMD_WRITER_LEGIC_RF};
125a98a1	334	int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
3612a8a8	335	if(res != 2) {
	336	PrintAndLog("Please specify the offset and length as two hex strings");
	337	return -1;
	338	}
	339	SendCommand(&c);
	340	return 0;
	341	}
	342
	343	int CmdLegicRfFill(const char *Cmd)
	344	{
	345	UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
1a07fd51	346	int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
3612a8a8	347	if(res != 3) {
	348	PrintAndLog("Please specify the offset, length and value as two hex strings");
	349	return -1;
	350	}
	351
	352	int i;
	353	UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
	354	for(i = 0; i < 48; i++) {
	355	c.d.asBytes[i] = cmd.arg[2];
	356	}
	357	for(i = 0; i < 22; i++) {
	358	c.arg[0] = i*48;
	359	SendCommand(&c);
902cb3c0	360	WaitForResponse(CMD_ACK,NULL);
3612a8a8	361	}
	362	SendCommand(&cmd);
	363	return 0;
	364	}
	365