]> git.zerfleddert.de Git - proxmark3-svn/blame - client/cmdhflegic.c
ADD: added some identification on between old Desfire, Desfire EV1 and Desfire EV2
[proxmark3-svn] / client / cmdhflegic.c
CommitLineData
a553f267 1//-----------------------------------------------------------------------------
2// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// High frequency Legic commands
9//-----------------------------------------------------------------------------
10
8e220a91 11#include <stdio.h>
12#include <string.h>
902cb3c0 13#include "proxmark3.h"
41dab153 14#include "data.h"
15#include "ui.h"
7fe9b0b7 16#include "cmdparser.h"
17#include "cmdhflegic.h"
669c1b80 18#include "cmdmain.h"
31d1caa5 19#include "util.h"
3b920280 20#include "crc.h"
7fe9b0b7 21static int CmdHelp(const char *Cmd);
22
3b920280 23int usage_legic_calccrc8(void){
24 PrintAndLog("Calculates the legic crc8 on the input hexbytes.");
25 PrintAndLog("There must be an even number of hexsymbols as input.");
26 PrintAndLog("Usage: hf legic crc8 <hexbytes>");
27 PrintAndLog("Options :");
28 PrintAndLog(" <hexbytes> : hex bytes in a string");
29 PrintAndLog("");
30 PrintAndLog("Sample : hf legic crc8 deadbeef1122");
31 return 0;
32}
33
e579e768 34int usage_legic_load(void){
35 PrintAndLog("It loads datasamples from the file `filename` to device memory");
36 PrintAndLog("Usage: hf legic load <file name>");
37 PrintAndLog(" sample: hf legic load filename");
38 return 0;
39}
40
cbdcc89a 41int usage_legic_read(void){
42 PrintAndLog("Read data from a legic tag.");
43 PrintAndLog("Usage: hf legic read <offset> <num of bytes>");
44 PrintAndLog("Options :");
45 PrintAndLog(" <offset> : offset in data array to start download from");
46 PrintAndLog(" <num of bytes> : number of bytes to download");
47 PrintAndLog("");
48 PrintAndLog(" sample: hf legic read");
49 return 0;
50}
51
669c1b80 52/*
53 * Output BigBuf and deobfuscate LEGIC RF tag data.
cbdcc89a 54 * This is based on information given in the talk held
669c1b80 55 * by Henryk Ploetz and Karsten Nohl at 26c3
669c1b80 56 */
3b920280 57int CmdLegicDecode(const char *Cmd) {
d7fd9084 58 // Index for the bytearray.
59 int i = 0;
60 int k = 0, segmentNum;
52cf34c1 61 int segment_len = 0;
62 int segment_flag = 0;
60bb5ef7 63 uint8_t stamp_len = 0;
52cf34c1 64 int crc = 0;
65 int wrp = 0;
66 int wrc = 0;
cbdcc89a 67 uint8_t data_buf[1024]; // receiver buffer, should be 1024..
52cf34c1 68 char token_type[4];
69
cbdcc89a 70 // download EML memory, where the "legic read" command puts the data.
71 GetEMLFromBigBuf(data_buf, sizeof(data_buf), 0);
f7f844d0 72 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
73 PrintAndLog("Command execute timeout");
74 return 1;
75 }
76
52cf34c1 77 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
3b920280 78 crc = data_buf[4];
79 uint32_t calc_crc = CRC8Legic(data_buf, 4);
80
52cf34c1 81 PrintAndLog("\nCDF: System Area");
aacb96d7 82 PrintAndLog("------------------------------------------------------");
3b920280 83 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x %s",
52cf34c1 84 data_buf[0],
85 data_buf[1],
86 data_buf[2],
87 data_buf[3],
3b920280 88 data_buf[4],
e579e768 89 (calc_crc == crc) ? "OK":"Fail"
52cf34c1 90 );
669c1b80 91
d7fd9084 92 switch (data_buf[5] & 0x7f) {
52cf34c1 93 case 0x00 ... 0x2f:
94 strncpy(token_type, "IAM",sizeof(token_type));
95 break;
96 case 0x30 ... 0x6f:
d7fd9084 97 strncpy(token_type, "SAM",sizeof(token_type));
52cf34c1 98 break;
99 case 0x70 ... 0x7f:
d7fd9084 100 strncpy(token_type, "GAM",sizeof(token_type));
52cf34c1 101 break;
102 default:
d7fd9084 103 strncpy(token_type, "???",sizeof(token_type));
52cf34c1 104 break;
105 }
106
107 stamp_len = 0xfc - data_buf[6];
108
9827020a 109 PrintAndLog("DCF: %02x %02x, Token Type=%s (OLE=%01u), Stamp len=%02u",
52cf34c1 110 data_buf[5],
111 data_buf[6],
112 token_type,
113 (data_buf[5]&0x80)>>7,
114 stamp_len
115 );
116
117 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
118 data_buf[7]&0x0f,
119 (data_buf[7]&0x70)>>4,
120 (data_buf[7]&0x80)>>7,
121 data_buf[7],
122 data_buf[8]
123 );
124
125 PrintAndLog("Remaining Header Area");
126 PrintAndLog("%s", sprint_hex(data_buf+9, 13));
d7fd9084 127
e579e768 128 uint8_t segCrcBytes[8] = {0x00};
129 uint32_t segCalcCRC = 0;
130 uint32_t segCRC = 0;
d7fd9084 131
aacb96d7 132 // see if user area is xored or just zeros.
133 int numOfZeros = 0;
134 for (int index=22; index < 256; ++index){
135 if ( data_buf[index] == 0x00 )
136 ++numOfZeros;
137 }
138 // if possible zeros is less then 60%, lets assume data is xored
139 // 256 - 22 (header) = 234
140 // 1024 - 22 (header) = 1002
141 int isXored = (numOfZeros*100/stamp_len) < 50;
142 PrintAndLog("is data xored? %d ( %d %)", isXored, (numOfZeros*100/stamp_len));
143
144 print_hex_break( data_buf, 33, 16);
145
cbdcc89a 146 return 0;
147
d7fd9084 148 PrintAndLog("\nADF: User Area");
aacb96d7 149 PrintAndLog("------------------------------------------------------");
d7fd9084 150 i = 22;
151 // 64 potential segements
f7f844d0 152 // how to detect there is no segments?!?
d7fd9084 153 for ( segmentNum=0; segmentNum<64; segmentNum++ ) {
52cf34c1 154 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
155 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
156
157 wrp = (data_buf[i+2]^crc);
158 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
159
d7fd9084 160 bool hasWRC = (wrc > 0);
161 bool hasWRP = (wrp > wrc);
162 int wrp_len = (wrp - wrc);
163 int remain_seg_payload_len = (segment_len - wrp - 5);
e579e768 164
d7fd9084 165 // validate segment-crc
166 segCrcBytes[0]=data_buf[0]; //uid0
167 segCrcBytes[1]=data_buf[1]; //uid1
168 segCrcBytes[2]=data_buf[2]; //uid2
169 segCrcBytes[3]=data_buf[3]; //uid3
170 segCrcBytes[4]=(data_buf[i]^crc); //hdr0
e579e768 171 segCrcBytes[5]=(data_buf[i+1]^crc); //hdr1
172 segCrcBytes[6]=(data_buf[i+2]^crc); //hdr2
173 segCrcBytes[7]=(data_buf[i+3]^crc); //hdr3
d7fd9084 174
e579e768 175 segCalcCRC = CRC8Legic(segCrcBytes, 8);
d7fd9084 176 segCRC = data_buf[i+4]^crc;
e579e768 177
aacb96d7 178 PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)",
d7fd9084 179 segmentNum,
52cf34c1 180 data_buf[i]^crc,
181 data_buf[i+1]^crc,
182 data_buf[i+2]^crc,
183 data_buf[i+3]^crc,
9827020a 184 segment_len,
52cf34c1 185 segment_flag,
d7fd9084 186 (segment_flag & 0x4) >> 2,
187 (segment_flag & 0x8) >> 3,
52cf34c1 188 wrp,
189 wrc,
d7fd9084 190 ((data_buf[i+3]^crc) & 0x80) >> 7,
e579e768 191 segCRC,
192 ( segCRC == segCalcCRC ) ? "OK" : "fail"
52cf34c1 193 );
194
3b920280 195 i += 5;
669c1b80 196
d7fd9084 197 if ( hasWRC ) {
198 PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc);
aacb96d7 199 PrintAndLog("\nrow | data");
200 PrintAndLog("-----+------------------------------------------------");
a182a680 201 // de-xor? if not zero, assume it needs xoring.
aacb96d7 202 if ( isXored) {
a182a680 203 for ( k=i; k < wrc; ++k)
204 data_buf[k] ^= crc;
205 }
9827020a 206 print_hex_break( data_buf+i, wrc, 16);
3b920280 207
208 i += wrc;
52cf34c1 209 }
669c1b80 210
d7fd9084 211 if ( hasWRP ) {
212 PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len);
aacb96d7 213 PrintAndLog("\nrow | data");
214 PrintAndLog("-----+------------------------------------------------");
d7fd9084 215
aacb96d7 216 if (isXored) {
a182a680 217 for (k=i; k < wrp_len; ++k)
9827020a 218 data_buf[k] ^= crc;
219 }
3b920280 220
9827020a 221 print_hex_break( data_buf+i, wrp_len, 16);
3b920280 222
d7fd9084 223 i += wrp_len;
224
a182a680 225 // does this one work?
9827020a 226 if( wrp_len == 8 )
227 PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
52cf34c1 228 }
669c1b80 229
a182a680 230 PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len);
aacb96d7 231 PrintAndLog("\nrow | data");
232 PrintAndLog("-----+------------------------------------------------");
233 if ( isXored ) {
a182a680 234 for ( k=i; k < remain_seg_payload_len; ++k)
9827020a 235 data_buf[k] ^= crc;
236 }
3b920280 237
9827020a 238 print_hex_break( data_buf+i, remain_seg_payload_len, 16);
669c1b80 239
d7fd9084 240 i += remain_seg_payload_len;
241
aacb96d7 242 PrintAndLog("-----+------------------------------------------------\n");
a182a680 243
52cf34c1 244 // end with last segment
245 if (segment_flag & 0x8) return 0;
246
247 } // end for loop
248 return 0;
669c1b80 249}
41dab153 250
52cf34c1 251int CmdLegicRFRead(const char *Cmd) {
cbdcc89a 252
253 // params:
254 // offset in data
255 // number of bytes.
256 char cmdp = param_getchar(Cmd, 0);
257 if ( cmdp == 'H' || cmdp == 'h' ) return usage_legic_read();
258
52cf34c1 259 int byte_count=0, offset=0;
260 sscanf(Cmd, "%i %i", &offset, &byte_count);
261 if(byte_count == 0) byte_count = -1;
262 if(byte_count + offset > 1024) byte_count = 1024 - offset;
263
264 UsbCommand c= {CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
265 clearCommandBuffer();
266 SendCommand(&c);
267 return 0;
41dab153 268}
3612a8a8 269
52cf34c1 270int CmdLegicLoad(const char *Cmd) {
b915fda3 271
52cf34c1 272 char cmdp = param_getchar(Cmd, 0);
e579e768 273 if ( cmdp == 'H' || cmdp == 'h' || cmdp == 0x00) return usage_legic_load();
b915fda3 274
e579e768 275 char filename[FILE_PATH_SIZE] = {0x00};
276 int len = strlen(Cmd);
277
b915fda3 278 if (len > FILE_PATH_SIZE) {
279 PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
280 return 0;
281 }
282 memcpy(filename, Cmd, len);
283
284 FILE *f = fopen(filename, "r");
3612a8a8 285 if(!f) {
286 PrintAndLog("couldn't open '%s'", Cmd);
287 return -1;
288 }
52cf34c1 289
290 char line[80];
810f5379 291 int offset = 0;
c6e0a2eb 292 uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
293 int index = 0;
294 int totalbytes = 0;
52cf34c1 295 while ( fgets(line, sizeof(line), f) ) {
3612a8a8 296 int res = sscanf(line, "%x %x %x %x %x %x %x %x",
c6e0a2eb 297 (unsigned int *)&data[index],
298 (unsigned int *)&data[index + 1],
299 (unsigned int *)&data[index + 2],
300 (unsigned int *)&data[index + 3],
301 (unsigned int *)&data[index + 4],
302 (unsigned int *)&data[index + 5],
303 (unsigned int *)&data[index + 6],
304 (unsigned int *)&data[index + 7]);
e7d099dc 305
3612a8a8 306 if(res != 8) {
307 PrintAndLog("Error: could not read samples");
308 fclose(f);
309 return -1;
310 }
c6e0a2eb 311 index += res;
312
313 if ( index == USB_CMD_DATA_SIZE ){
314// PrintAndLog("sent %d | %d | %d", index, offset, totalbytes);
315 UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
316 memcpy(c.d.asBytes, data, sizeof(data));
317 clearCommandBuffer();
318 SendCommand(&c);
d7fd9084 319 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){
320 PrintAndLog("Command execute timeout");
321 fclose(f);
322 return 1;
323 }
c6e0a2eb 324 offset += index;
325 totalbytes += index;
326 index = 0;
327 }
3612a8a8 328 }
329 fclose(f);
c6e0a2eb 330
331 // left over bytes?
332 if ( index != 0 ) {
333 UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
334 memcpy(c.d.asBytes, data, 8);
335 clearCommandBuffer();
336 SendCommand(&c);
d7fd9084 337 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){
338 PrintAndLog("Command execute timeout");
339 return 1;
340 }
c6e0a2eb 341 totalbytes += index;
342 }
343
344 PrintAndLog("loaded %u samples", totalbytes);
3612a8a8 345 return 0;
346}
347
52cf34c1 348int CmdLegicSave(const char *Cmd) {
349 int requested = 1024;
350 int offset = 0;
351 int delivered = 0;
352 char filename[FILE_PATH_SIZE];
353 uint8_t got[1024] = {0x00};
354
355 sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
356
357 /* If no length given save entire legic read buffer */
358 /* round up to nearest 8 bytes so the saved data can be used with legicload */
e7d099dc 359 if (requested == 0)
52cf34c1 360 requested = 1024;
52cf34c1 361
362 if (requested % 8 != 0) {
363 int remainder = requested % 8;
364 requested = requested + 8 - remainder;
365 }
366
367 if (offset + requested > sizeof(got)) {
368 PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
369 return 0;
370 }
371
d7fd9084 372 GetFromBigBuf(got, requested, offset);
f7f844d0 373 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
aacb96d7 374 PrintAndLog("Command execute timeout");
f7f844d0 375 return 1;
376 }
52cf34c1 377
aacb96d7 378 FILE *f = fopen(filename, "w");
379 if(!f) {
380 PrintAndLog("couldn't open '%s'", Cmd+1);
381 return -1;
382 }
383
52cf34c1 384 for (int j = 0; j < requested; j += 8) {
385 fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
c6e0a2eb 386 got[j+0], got[j+1], got[j+2], got[j+3],
387 got[j+4], got[j+5], got[j+6], got[j+7]
52cf34c1 388 );
389 delivered += 8;
390 if (delivered >= requested) break;
391 }
392
393 fclose(f);
394 PrintAndLog("saved %u samples", delivered);
395 return 0;
3612a8a8 396}
397
f7f844d0 398//TODO: write a help text (iceman)
52cf34c1 399int CmdLegicRfSim(const char *Cmd) {
3b920280 400 UsbCommand c = {CMD_SIMULATE_TAG_LEGIC_RF, {6,3,0}};
52cf34c1 401 sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
402 clearCommandBuffer();
403 SendCommand(&c);
404 return 0;
3612a8a8 405}
406
f7f844d0 407//TODO: write a help text (iceman)
52cf34c1 408int CmdLegicRfWrite(const char *Cmd) {
409 UsbCommand c = {CMD_WRITER_LEGIC_RF};
125a98a1 410 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
3612a8a8 411 if(res != 2) {
412 PrintAndLog("Please specify the offset and length as two hex strings");
413 return -1;
414 }
52cf34c1 415 clearCommandBuffer();
3612a8a8 416 SendCommand(&c);
417 return 0;
418}
419
52cf34c1 420int CmdLegicRfFill(const char *Cmd) {
421 UsbCommand cmd = {CMD_WRITER_LEGIC_RF};
1a07fd51 422 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
3612a8a8 423 if(res != 3) {
424 PrintAndLog("Please specify the offset, length and value as two hex strings");
425 return -1;
426 }
427
428 int i;
52cf34c1 429 UsbCommand c = {CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
3612a8a8 430 for(i = 0; i < 48; i++) {
52cf34c1 431 c.d.asBytes[i] = cmd.arg[2];
3612a8a8 432 }
52cf34c1 433
434 for(i = 0; i < 22; i++) {
435 c.arg[0] = i*48;
436 SendCommand(&c);
437 WaitForResponse(CMD_ACK,NULL);
438 }
439 clearCommandBuffer();
3612a8a8 440 SendCommand(&cmd);
441 return 0;
442 }
443
3b920280 444int CmdLegicCalcCrc8(const char *Cmd){
445
446 int len = strlen(Cmd);
6cf8fcb0 447 if ( len & 1 ) return usage_legic_calccrc8();
3b920280 448
aacb96d7 449 // add 1 for null terminator.
450 uint8_t *data = malloc(len+1);
3b920280 451 if ( data == NULL ) return 1;
452
eb5206bd 453 if (param_gethex(Cmd, 0, data, len )) {
454 free(data);
455 return usage_legic_calccrc8();
456 }
3b920280 457
458 uint32_t checksum = CRC8Legic(data, len/2);
459 PrintAndLog("Bytes: %s || CRC8: %X", sprint_hex(data, len/2), checksum );
460 free(data);
461 return 0;
462}
463
52cf34c1 464static command_t CommandTable[] = {
3b920280 465 {"help", CmdHelp, 1, "This help"},
466 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
467 {"read", CmdLegicRFRead, 0, "[offset][length] -- read bytes from a LEGIC card"},
468 {"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
469 {"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
470 {"sim", CmdLegicRfSim, 0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
471 {"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
472 {"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
473 {"crc8", CmdLegicCalcCrc8, 1, "Calculate Legic CRC8 over given hexbytes"},
52cf34c1 474 {NULL, NULL, 0, NULL}
475};
476
477int CmdHFLegic(const char *Cmd) {
478 clearCommandBuffer();
479 CmdsParse(CommandTable, Cmd);
480 return 0;
481}
482
483int CmdHelp(const char *Cmd) {
484 CmdsHelp(CommandTable);
485 return 0;
486}
Impressum, Datenschutz