]> git.zerfleddert.de Git - proxmark3-svn/blame - client/cmdhflegic.c
ADD: added the possibility to choose which block num to attack with "hf mf mifare...
[proxmark3-svn] / client / cmdhflegic.c
CommitLineData
a553f267 1//-----------------------------------------------------------------------------
2// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// High frequency Legic commands
9//-----------------------------------------------------------------------------
10
8e220a91 11#include <stdio.h>
12#include <string.h>
902cb3c0 13#include "proxmark3.h"
41dab153 14#include "data.h"
15#include "ui.h"
7fe9b0b7 16#include "cmdparser.h"
17#include "cmdhflegic.h"
669c1b80 18#include "cmdmain.h"
31d1caa5 19#include "util.h"
7fe9b0b7 20static int CmdHelp(const char *Cmd);
21
669c1b80 22/*
23 * Output BigBuf and deobfuscate LEGIC RF tag data.
24 * This is based on information given in the talk held
25 * by Henryk Ploetz and Karsten Nohl at 26c3
669c1b80 26 */
27int CmdLegicDecode(const char *Cmd)
28{
52cf34c1 29 int i, j, k, n;
30 int segment_len = 0;
31 int segment_flag = 0;
32 int stamp_len = 0;
33 int crc = 0;
34 int wrp = 0;
35 int wrc = 0;
36 uint8_t data_buf[3076]; // receiver buffer
37 char out_string[3076]; // just use big buffer - bad practice
38 char token_type[4];
39
40 // copy data from proxmark into buffer
41 GetFromBigBuf(data_buf,sizeof(data_buf),0);
42 WaitForResponse(CMD_ACK,NULL);
43
44 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
45
46 PrintAndLog("\nCDF: System Area");
47
48 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
49 data_buf[0],
50 data_buf[1],
51 data_buf[2],
52 data_buf[3],
53 data_buf[4]
54 );
55
56 crc = data_buf[4];
669c1b80 57
52cf34c1 58 switch (data_buf[5]&0x7f) {
59 case 0x00 ... 0x2f:
60 strncpy(token_type, "IAM",sizeof(token_type));
61 break;
62 case 0x30 ... 0x6f:
63 strcpy(token_type, "SAM");
64 break;
65 case 0x70 ... 0x7f:
66 strcpy(token_type, "GAM");
67 break;
68 default:
69 strcpy(token_type, "???");
70 break;
71 }
72
73 stamp_len = 0xfc - data_buf[6];
74
75 PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
76 data_buf[5],
77 data_buf[6],
78 token_type,
79 (data_buf[5]&0x80)>>7,
80 stamp_len
81 );
82
83 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
84 data_buf[7]&0x0f,
85 (data_buf[7]&0x70)>>4,
86 (data_buf[7]&0x80)>>7,
87 data_buf[7],
88 data_buf[8]
89 );
90
91 PrintAndLog("Remaining Header Area");
92 PrintAndLog("%s", sprint_hex(data_buf+9, 13));
93 PrintAndLog("\nADF: User Area");
669c1b80 94
52cf34c1 95 i = 22;
96 for ( n=0; n<64; n++ ) {
97 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
98 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
99
100 wrp = (data_buf[i+2]^crc);
101 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
102
103 PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
104 n,
105 data_buf[i]^crc,
106 data_buf[i+1]^crc,
107 data_buf[i+2]^crc,
108 data_buf[i+3]^crc,
109 segment_flag,
110 (segment_flag&0x4)>>2,
111 (segment_flag&0x8)>>3,
112 segment_len,
113 wrp,
114 wrc,
115 ((data_buf[i+3]^crc)&0x80)>>7,
116 (data_buf[i+4]^crc)
117 );
118
119 i+=5;
669c1b80 120
52cf34c1 121 if ( wrc>0 ) {
122 PrintAndLog("WRC protected area:");
123 for ( k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
124 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
125 out_string[j+2] = ' ';
126 }
127
128 out_string[j] = '\0';
129
130 PrintAndLog("%s", out_string);
131 }
669c1b80 132
52cf34c1 133 if ( wrp>wrc ) {
134 PrintAndLog("Remaining write protected area:");
135
136 for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
137 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
138 out_string[j+2] = ' ';
139 };
140
141 out_string[j] = '\0';
142
143 PrintAndLog("%s", out_string);
144 if( (wrp-wrc) == 8 ) {
145 sprintf(out_string, "Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
146 PrintAndLog("%s", out_string);
147 }
148 }
669c1b80 149
52cf34c1 150 PrintAndLog("Remaining segment payload:");
151 for ( k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
152 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
153 out_string[j+2] = ' ';
154 };
669c1b80 155
52cf34c1 156 out_string[j] = '\0';
669c1b80 157
52cf34c1 158 PrintAndLog("%s", out_string);
669c1b80 159
52cf34c1 160 // end with last segment
161 if (segment_flag & 0x8) return 0;
162
163 } // end for loop
164 return 0;
669c1b80 165}
41dab153 166
52cf34c1 167int CmdLegicRFRead(const char *Cmd) {
168 int byte_count=0, offset=0;
169 sscanf(Cmd, "%i %i", &offset, &byte_count);
170 if(byte_count == 0) byte_count = -1;
171 if(byte_count + offset > 1024) byte_count = 1024 - offset;
172
173 UsbCommand c= {CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
174 clearCommandBuffer();
175 SendCommand(&c);
176 return 0;
41dab153 177}
3612a8a8 178
52cf34c1 179int CmdLegicLoad(const char *Cmd) {
b915fda3 180 char filename[FILE_PATH_SIZE] = {0x00};
181 int len = 0;
182
52cf34c1 183 char cmdp = param_getchar(Cmd, 0);
184 if ( cmdp == 'H' || cmdp == 'h' || cmdp == 0x00) {
e7d099dc 185 PrintAndLog("It loads datasamples from the file `filename` to device memory");
b915fda3 186 PrintAndLog("Usage: hf legic load <file name>");
187 PrintAndLog(" sample: hf legic load filename");
188 return 0;
189 }
190
191 len = strlen(Cmd);
192 if (len > FILE_PATH_SIZE) {
193 PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
194 return 0;
195 }
196 memcpy(filename, Cmd, len);
197
198 FILE *f = fopen(filename, "r");
3612a8a8 199 if(!f) {
200 PrintAndLog("couldn't open '%s'", Cmd);
201 return -1;
202 }
52cf34c1 203
204 char line[80];
810f5379 205 int offset = 0;
52cf34c1 206 uint32_t data[8] = {0x00};
207
208 while ( fgets(line, sizeof(line), f) ) {
3612a8a8 209 int res = sscanf(line, "%x %x %x %x %x %x %x %x",
210 &data[0], &data[1], &data[2], &data[3],
211 &data[4], &data[5], &data[6], &data[7]);
e7d099dc 212
3612a8a8 213 if(res != 8) {
214 PrintAndLog("Error: could not read samples");
215 fclose(f);
216 return -1;
217 }
52cf34c1 218
e7d099dc 219 UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
220 memcpy(c.d.asBytes, data, 8);
221 clearCommandBuffer();
3612a8a8 222 SendCommand(&c);
902cb3c0 223 WaitForResponse(CMD_ACK, NULL);
3612a8a8 224 offset += 8;
225 }
226 fclose(f);
227 PrintAndLog("loaded %u samples", offset);
228 return 0;
229}
230
52cf34c1 231int CmdLegicSave(const char *Cmd) {
232 int requested = 1024;
233 int offset = 0;
234 int delivered = 0;
235 char filename[FILE_PATH_SIZE];
236 uint8_t got[1024] = {0x00};
237
238 sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
239
240 /* If no length given save entire legic read buffer */
241 /* round up to nearest 8 bytes so the saved data can be used with legicload */
e7d099dc 242 if (requested == 0)
52cf34c1 243 requested = 1024;
52cf34c1 244
245 if (requested % 8 != 0) {
246 int remainder = requested % 8;
247 requested = requested + 8 - remainder;
248 }
249
250 if (offset + requested > sizeof(got)) {
251 PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
252 return 0;
253 }
254
255 FILE *f = fopen(filename, "w");
256 if(!f) {
257 PrintAndLog("couldn't open '%s'", Cmd+1);
258 return -1;
259 }
260
261 GetFromBigBuf(got,requested,offset);
262 WaitForResponse(CMD_ACK,NULL);
263
264 for (int j = 0; j < requested; j += 8) {
265 fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
266 got[j+0],
267 got[j+1],
268 got[j+2],
269 got[j+3],
270 got[j+4],
271 got[j+5],
272 got[j+6],
273 got[j+7]
274 );
275 delivered += 8;
276 if (delivered >= requested) break;
277 }
278
279 fclose(f);
280 PrintAndLog("saved %u samples", delivered);
281 return 0;
3612a8a8 282}
283
52cf34c1 284int CmdLegicRfSim(const char *Cmd) {
285 UsbCommand c= {CMD_SIMULATE_TAG_LEGIC_RF, {6,3,0}};
286 sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
287 clearCommandBuffer();
288 SendCommand(&c);
289 return 0;
3612a8a8 290}
291
52cf34c1 292int CmdLegicRfWrite(const char *Cmd) {
293 UsbCommand c = {CMD_WRITER_LEGIC_RF};
125a98a1 294 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
3612a8a8 295 if(res != 2) {
296 PrintAndLog("Please specify the offset and length as two hex strings");
297 return -1;
298 }
52cf34c1 299 clearCommandBuffer();
3612a8a8 300 SendCommand(&c);
301 return 0;
302}
303
52cf34c1 304int CmdLegicRfFill(const char *Cmd) {
305 UsbCommand cmd = {CMD_WRITER_LEGIC_RF};
1a07fd51 306 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
3612a8a8 307 if(res != 3) {
308 PrintAndLog("Please specify the offset, length and value as two hex strings");
309 return -1;
310 }
311
312 int i;
52cf34c1 313 UsbCommand c = {CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
3612a8a8 314 for(i = 0; i < 48; i++) {
52cf34c1 315 c.d.asBytes[i] = cmd.arg[2];
3612a8a8 316 }
52cf34c1 317
318 for(i = 0; i < 22; i++) {
319 c.arg[0] = i*48;
320 SendCommand(&c);
321 WaitForResponse(CMD_ACK,NULL);
322 }
323 clearCommandBuffer();
3612a8a8 324 SendCommand(&cmd);
325 return 0;
326 }
327
52cf34c1 328static command_t CommandTable[] = {
329 {"help", CmdHelp, 1, "This help"},
330 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
331 {"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
332 {"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
333 {"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
334 {"sim", CmdLegicRfSim, 0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
335 {"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
336 {"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
337 {NULL, NULL, 0, NULL}
338};
339
340int CmdHFLegic(const char *Cmd) {
341 clearCommandBuffer();
342 CmdsParse(CommandTable, Cmd);
343 return 0;
344}
345
346int CmdHelp(const char *Cmd) {
347 CmdsHelp(CommandTable);
348 return 0;
349}
Impressum, Datenschutz