]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhflegic.c
fix WaitForResponse (without timeout)
[proxmark3-svn] / client / cmdhflegic.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency Legic commands
9 //-----------------------------------------------------------------------------
10
11 #include "cmdhflegic.h"
12
13 #include <stdio.h>
14 #include <string.h>
15 #include <inttypes.h>
16 #include "comms.h"
17 #include "ui.h"
18 #include "cmdparser.h"
19 #include "cmdmain.h"
20 #include "util.h"
21 #include "../include/legic.h"
22
23 static int CmdHelp(const char *Cmd);
24
25 static command_t CommandTable[] =
26 {
27 {"help", CmdHelp, 1, "This help"},
28 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
29 {"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
30 {"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
31 {"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
32 {"sim", CmdLegicRfSim, 0, "[tagtype, 0:MIM22, 1:MIM256, 2:MIM1024] Start tag simulator (use after load or read)"},
33 {"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
34 {"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
35 {NULL, NULL, 0, NULL}
36 };
37
38 int CmdHFLegic(const char *Cmd)
39 {
40 CmdsParse(CommandTable, Cmd);
41 return 0;
42 }
43
44 int CmdHelp(const char *Cmd)
45 {
46 CmdsHelp(CommandTable);
47 return 0;
48 }
49
50 /*
51 * Output BigBuf and deobfuscate LEGIC RF tag data.
52 * This is based on information given in the talk held
53 * by Henryk Ploetz and Karsten Nohl at 26c3
54 */
55 int CmdLegicDecode(const char *Cmd)
56 {
57 int i, j, k, n;
58 int segment_len = 0;
59 int segment_flag = 0;
60 int stamp_len = 0;
61 int crc = 0;
62 int wrp = 0;
63 int wrc = 0;
64 uint8_t data_buf[1053]; // receiver buffer
65 char out_string[3076]; // just use big buffer - bad practice
66 char token_type[4];
67
68 // copy data from proxmark into buffer
69 GetFromBigBuf(data_buf, sizeof(data_buf), 0, NULL, -1, false);
70
71 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
72
73 PrintAndLog("\nCDF: System Area");
74
75 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
76 data_buf[0],
77 data_buf[1],
78 data_buf[2],
79 data_buf[3],
80 data_buf[4]
81 );
82
83 crc = data_buf[4];
84
85 switch (data_buf[5]&0x7f) {
86 case 0x00 ... 0x2f:
87 strncpy(token_type, "IAM",sizeof(token_type));
88 break;
89 case 0x30 ... 0x6f:
90 strcpy(token_type, "SAM");
91 break;
92 case 0x70 ... 0x7f:
93 strcpy(token_type, "GAM");
94 break;
95 default:
96 strcpy(token_type, "???");
97 break;
98 }
99
100 stamp_len = 0xfc - data_buf[6];
101
102 PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
103 data_buf[5],
104 data_buf[6],
105 token_type,
106 (data_buf[5]&0x80)>>7,
107 stamp_len
108 );
109
110 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
111 data_buf[7]&0x0f,
112 (data_buf[7]&0x70)>>4,
113 (data_buf[7]&0x80)>>7,
114 data_buf[7],
115 data_buf[8]
116 );
117
118 PrintAndLog("Remaining Header Area");
119
120 PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
121 data_buf[9],
122 data_buf[10],
123 data_buf[11],
124 data_buf[12],
125 data_buf[13],
126 data_buf[14],
127 data_buf[15],
128 data_buf[16],
129 data_buf[17],
130 data_buf[18],
131 data_buf[19],
132 data_buf[20],
133 data_buf[21]
134 );
135
136 PrintAndLog("\nADF: User Area");
137
138 i = 22;
139 for (n=0; n<64; n++) {
140 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
141 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
142
143 wrp = (data_buf[i+2]^crc);
144 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
145
146 PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
147 n,
148 data_buf[i]^crc,
149 data_buf[i+1]^crc,
150 data_buf[i+2]^crc,
151 data_buf[i+3]^crc,
152 segment_flag,
153 (segment_flag&0x4)>>2,
154 (segment_flag&0x8)>>3,
155 segment_len,
156 wrp,
157 wrc,
158 ((data_buf[i+3]^crc)&0x80)>>7,
159 (data_buf[i+4]^crc)
160 );
161
162 i+=5;
163
164 if (wrc>0) {
165 PrintAndLog("WRC protected area:");
166 for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
167 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
168 out_string[j+2] = ' ';
169 };
170
171 out_string[j] = '\0';
172
173 PrintAndLog("%s", out_string);
174 }
175
176 if (wrp>wrc) {
177 PrintAndLog("Remaining write protected area:");
178
179 for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
180 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
181 out_string[j+2] = ' ';
182 };
183
184 out_string[j] = '\0';
185
186 PrintAndLog("%s", out_string);
187 if((wrp-wrc) == 8) {
188 sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
189 PrintAndLog("%s", out_string);
190 }
191 }
192
193 PrintAndLog("Remaining segment payload:");
194 for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
195 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
196 out_string[j+2] = ' ';
197 };
198
199 out_string[j] = '\0';
200
201 PrintAndLog("%s", out_string);
202
203 // end with last segment
204 if (segment_flag & 0x8)
205 return 0;
206 };
207 return 0;
208 }
209
210 int CmdLegicRFRead(const char *Cmd)
211 {
212 int byte_count=0,offset=0;
213 sscanf(Cmd, "%i %i", &offset, &byte_count);
214 if(byte_count == 0) byte_count = -1;
215 if(byte_count + offset > 1024) byte_count = 1024 - offset;
216 UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
217 SendCommand(&c);
218 UsbCommand resp;
219 WaitForResponse(CMD_ACK,&resp);
220 switch (resp.arg[0]) {
221 legic_card_select_t card;
222 case 0:
223 memcpy(&card, resp.d.asBytes, sizeof(card));
224 PrintAndLog("Card (MIM %i) read, use 'hf legic decode' or", card.cardsize);
225 PrintAndLog("'data hexsamples %d' to view results", (resp.arg[1] + 7) & ~7);
226 break;
227 case 1:
228 PrintAndLog("No or unknown card found, aborting");
229 break;
230 case 2:
231 PrintAndLog("operation failed @ 0x%03.3x", resp.arg[1]);
232 break;
233 }
234 return resp.arg[0];
235 }
236
237 int CmdLegicLoad(const char *Cmd)
238 {
239 char filename[FILE_PATH_SIZE] = {0x00};
240 int len = 0;
241
242 if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
243 PrintAndLog("It loads datasamples from the file `filename`");
244 PrintAndLog("Usage: hf legic load <file name>");
245 PrintAndLog(" sample: hf legic load filename");
246 return 0;
247 }
248
249 len = strlen(Cmd);
250 if (len > FILE_PATH_SIZE) {
251 PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
252 return 0;
253 }
254 memcpy(filename, Cmd, len);
255
256 FILE *f = fopen(filename, "r");
257 if (!f) {
258 PrintAndLog("couldn't open '%s'", Cmd);
259 return -1;
260 }
261 char line[80]; int offset = 0; unsigned int data[8];
262 while (fgets(line, sizeof(line), f)) {
263 int res = sscanf(line, "%x %x %x %x %x %x %x %x",
264 &data[0], &data[1], &data[2], &data[3],
265 &data[4], &data[5], &data[6], &data[7]);
266 if (res != 8) {
267 PrintAndLog("Error: could not read samples");
268 fclose(f);
269 return -1;
270 }
271 UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 1, 0}};
272 int j; for(j = 0; j < 8; j++) {
273 c.d.asBytes[j] = data[j];
274 }
275 SendCommand(&c);
276 WaitForResponse(CMD_ACK, NULL);
277 offset += 8;
278 }
279 fclose(f);
280 PrintAndLog("loaded %u samples", offset);
281 return 0;
282 }
283
284 int CmdLegicSave(const char *Cmd)
285 {
286 int requested = 1024;
287 int offset = 0;
288 int delivered = 0;
289 char filename[FILE_PATH_SIZE];
290 uint8_t got[1024];
291
292 sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
293
294 /* If no length given save entire legic read buffer */
295 /* round up to nearest 8 bytes so the saved data can be used with legicload */
296 if (requested == 0) {
297 requested = 1024;
298 }
299 if (requested % 8 != 0) {
300 int remainder = requested % 8;
301 requested = requested + 8 - remainder;
302 }
303 if (offset + requested > sizeof(got)) {
304 PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
305 return 0;
306 }
307
308 FILE *f = fopen(filename, "w");
309 if (!f) {
310 PrintAndLog("couldn't open '%s'", Cmd+1);
311 return -1;
312 }
313
314 GetFromBigBuf(got, requested, offset, NULL, -1, false);
315
316 for (int j = 0; j < requested; j += 8) {
317 fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
318 got[j+0],
319 got[j+1],
320 got[j+2],
321 got[j+3],
322 got[j+4],
323 got[j+5],
324 got[j+6],
325 got[j+7]
326 );
327 delivered += 8;
328 if (delivered >= requested)
329 break;
330 }
331
332 fclose(f);
333 PrintAndLog("saved %u samples", delivered);
334 return 0;
335 }
336
337 int CmdLegicRfSim(const char *Cmd)
338 {
339 UsbCommand c={CMD_SIMULATE_TAG_LEGIC_RF};
340 c.arg[0] = 1;
341 sscanf(Cmd, " %" SCNi64, &c.arg[0]);
342 SendCommand(&c);
343 return 0;
344 }
345
346 int CmdLegicRfWrite(const char *Cmd)
347 {
348 UsbCommand c={CMD_WRITER_LEGIC_RF};
349 int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64, &c.arg[0], &c.arg[1]);
350 if (res != 2) {
351 PrintAndLog("Please specify the offset and length as two hex strings");
352 return -1;
353 }
354 SendCommand(&c);
355 return 0;
356 }
357
358 int CmdLegicRfFill(const char *Cmd)
359 {
360 UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
361 int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64 " 0x%" SCNx64, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
362 if (res != 3) {
363 PrintAndLog("Please specify the offset, length and value as two hex strings");
364 return -1;
365 }
366
367 int i;
368 UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 1, 0}};
369 for (i = 0; i < 48; i++) {
370 c.d.asBytes[i] = cmd.arg[2];
371 }
372 for (i = 0; i < 22; i++) {
373 c.arg[0] = i*48;
374 SendCommand(&c);
375 WaitForResponse(CMD_ACK,NULL);
376 }
377 SendCommand(&cmd);
378 return 0;
379 }
380
Impressum, Datenschutz