[proxmark3-svn] / client / cmdhflegic.c

//-----------------------------------------------------------------------------
// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// High frequency Legic commands
//-----------------------------------------------------------------------------

#include <stdio.h>
#include <string.h>
#include "proxmark3.h"
#include "data.h"
#include "ui.h"
#include "cmdparser.h"
#include "cmdhflegic.h"
#include "cmdmain.h"
#include "util.h"
static int CmdHelp(const char *Cmd);

/*
 *  Output BigBuf and deobfuscate LEGIC RF tag data.
 *   This is based on information given in the talk held
 *  by Henryk Ploetz and Karsten Nohl at 26c3
 */
int CmdLegicDecode(const char *Cmd)
{
	int i, j, k, n;
	int segment_len = 0;
	int segment_flag = 0;
	int stamp_len = 0;
	int crc = 0;
	int wrp = 0;
	int wrc = 0;
	uint8_t data_buf[3076]; // receiver buffer
	char out_string[3076]; // just use big buffer - bad practice
	char token_type[4];

	// copy data from proxmark into buffer
	GetFromBigBuf(data_buf,sizeof(data_buf),0);
	WaitForResponse(CMD_ACK,NULL);

	// Output CDF System area (9 bytes) plus remaining header area (12 bytes)

	PrintAndLog("\nCDF: System Area");

	PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
		data_buf[0],
		data_buf[1],
		data_buf[2],
		data_buf[3],
		data_buf[4]
	);

	crc = data_buf[4];
 
	switch (data_buf[5]&0x7f) {
		case 0x00 ... 0x2f:
			strncpy(token_type, "IAM",sizeof(token_type));
			break;
		case 0x30 ... 0x6f:
			strcpy(token_type, "SAM");
			break;
		case 0x70 ... 0x7f:
			strcpy(token_type, "GAM");
			break;
		default:
			strcpy(token_type, "???");
			break;
	}

	stamp_len = 0xfc - data_buf[6];

	PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
		data_buf[5],
		data_buf[6],
		token_type,
		(data_buf[5]&0x80)>>7,
		stamp_len
	);

	PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
		data_buf[7]&0x0f,
		(data_buf[7]&0x70)>>4,
		(data_buf[7]&0x80)>>7,
		data_buf[7],
		data_buf[8]
	);

	PrintAndLog("Remaining Header Area");
	PrintAndLog("%s", sprint_hex(data_buf+9, 13));
	PrintAndLog("\nADF: User Area");
  
	i = 22;  
	for ( n=0; n<64; n++ ) {
		segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
		segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;

		wrp = (data_buf[i+2]^crc);
		wrc = ((data_buf[i+3]^crc)&0x70)>>4;

		PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
			n,
			data_buf[i]^crc,
			data_buf[i+1]^crc,
			data_buf[i+2]^crc,
			data_buf[i+3]^crc,
			segment_flag,
			(segment_flag&0x4)>>2,
			(segment_flag&0x8)>>3,
			segment_len,
			wrp,
			wrc,
			((data_buf[i+3]^crc)&0x80)>>7,
			(data_buf[i+4]^crc)
		);

		i+=5;
    
		if ( wrc>0 ) {
			PrintAndLog("WRC protected area:");
			for ( k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
				sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
				out_string[j+2] = ' ';
			}

			out_string[j] = '\0';

			PrintAndLog("%s", out_string);
		}
    
		if ( wrp>wrc ) {
			PrintAndLog("Remaining write protected area:");

			for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
				sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
				out_string[j+2] = ' ';
			};

			out_string[j] = '\0';

			PrintAndLog("%s", out_string);
			if( (wrp-wrc) == 8 ) {
				sprintf(out_string, "Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
				PrintAndLog("%s", out_string);
			}
		}
    
		PrintAndLog("Remaining segment payload:");
		for ( k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
			sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
			out_string[j+2] = ' ';
		};
    
		out_string[j] = '\0';
    
		PrintAndLog("%s", out_string);
    
		// end with last segment
		if (segment_flag & 0x8) return 0;

	} // end for loop
	return 0;
}

int CmdLegicRFRead(const char *Cmd) {
	int byte_count=0, offset=0;
	sscanf(Cmd, "%i %i", &offset, &byte_count);
	if(byte_count == 0) byte_count = -1;
	if(byte_count + offset > 1024) byte_count = 1024 - offset;

	UsbCommand c= {CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
	clearCommandBuffer();
	SendCommand(&c);
	return 0;
}

int CmdLegicLoad(const char *Cmd) {
	char filename[FILE_PATH_SIZE] = {0x00};
	int len = 0;
	
	char cmdp = param_getchar(Cmd, 0);
	if ( cmdp == 'H' || cmdp == 'h' || cmdp == 0x00) {
		PrintAndLog("It loads datasamples from the file `filename` to device memory");
		PrintAndLog("Usage:  hf legic load <file name>");
		PrintAndLog(" sample: hf legic load filename");
		return 0;
	}

	len = strlen(Cmd);	
	if (len > FILE_PATH_SIZE) {
		PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
		return 0;
	}
	memcpy(filename, Cmd, len);

    FILE *f = fopen(filename, "r");
    if(!f) {
        PrintAndLog("couldn't open '%s'", Cmd);
        return -1;
    }
	
    char line[80]; 
	int offset = 0; 
	uint32_t data[8] = {0x00};
	
    while ( fgets(line, sizeof(line), f) ) {
        int res = sscanf(line, "%x %x %x %x %x %x %x %x", 
            &data[0], &data[1], &data[2], &data[3],
            &data[4], &data[5], &data[6], &data[7]);
			
        if(res != 8) {
          PrintAndLog("Error: could not read samples");
          fclose(f);
          return -1;
        }
		
        UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
		memcpy(c.d.asBytes, data, 8);
		clearCommandBuffer();
        SendCommand(&c);
        WaitForResponse(CMD_ACK, NULL);
        offset += 8;
    }
    fclose(f);
    PrintAndLog("loaded %u samples", offset);
    return 0;
}

int CmdLegicSave(const char *Cmd) {
	int requested = 1024;
	int offset = 0;
	int delivered = 0;
	char filename[FILE_PATH_SIZE];
	uint8_t got[1024] = {0x00};

	sscanf(Cmd, " %s %i %i", filename, &requested, &offset);

	/* If no length given save entire legic read buffer */
	/* round up to nearest 8 bytes so the saved data can be used with legicload */
	if (requested == 0)
		requested = 1024;

	if (requested % 8 != 0) {
		int remainder = requested % 8;
		requested = requested + 8 - remainder;
	}

	if (offset + requested > sizeof(got)) {
		PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
		return 0;
	}

	FILE *f = fopen(filename, "w");
	if(!f) {
		PrintAndLog("couldn't open '%s'", Cmd+1);
		return -1;
	}

	GetFromBigBuf(got,requested,offset);
	WaitForResponse(CMD_ACK,NULL);

	for (int j = 0; j < requested; j += 8) {
		fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
			got[j+0],
			got[j+1],
			got[j+2],
			got[j+3],
			got[j+4],
			got[j+5],
			got[j+6],
			got[j+7]
		);
		delivered += 8;
		if (delivered >= requested) break;
	}

	fclose(f);
	PrintAndLog("saved %u samples", delivered);
	return 0;
}

int CmdLegicRfSim(const char *Cmd) {
	UsbCommand c= {CMD_SIMULATE_TAG_LEGIC_RF, {6,3,0}};
	sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
	clearCommandBuffer();
	SendCommand(&c);
	return 0;
}

int CmdLegicRfWrite(const char *Cmd) {
    UsbCommand c = {CMD_WRITER_LEGIC_RF};
    int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
	if(res != 2) {
		PrintAndLog("Please specify the offset and length as two hex strings");
        return -1;
    }
	clearCommandBuffer();
    SendCommand(&c);
    return 0;
}

int CmdLegicRfFill(const char *Cmd) {
    UsbCommand cmd = {CMD_WRITER_LEGIC_RF};
    int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
    if(res != 3) {
        PrintAndLog("Please specify the offset, length and value as two hex strings");
        return -1;
    }

    int i;
    UsbCommand c = {CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
    for(i = 0; i < 48; i++) {
		c.d.asBytes[i] = cmd.arg[2];
    }
	
	for(i = 0; i < 22; i++) {
		c.arg[0] = i*48;
		SendCommand(&c);
		WaitForResponse(CMD_ACK,NULL);
	}
	clearCommandBuffer();
    SendCommand(&cmd);
    return 0;
 }

static command_t CommandTable[] =  {
	{"help",        CmdHelp,        1, "This help"},
	{"decode",      CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
	{"reader",      CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
	{"save",        CmdLegicSave,   0, "<filename> [<length>] -- Store samples"},
	{"load",        CmdLegicLoad,   0, "<filename> -- Restore samples"},
	{"sim",         CmdLegicRfSim,  0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
	{"write",       CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
	{"fill",        CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
	{NULL, NULL, 0, NULL}
};

int CmdHFLegic(const char *Cmd) {
	clearCommandBuffer();
	CmdsParse(CommandTable, Cmd);
	return 0;
}

int CmdHelp(const char *Cmd) {
	CmdsHelp(CommandTable);
	return 0;
}
Commit	Line	Data
a553f267	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
	3	//
	4	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	5	// at your option, any later version. See the LICENSE.txt file for the text of
	6	// the license.
	7	//-----------------------------------------------------------------------------
	8	// High frequency Legic commands
	9	//-----------------------------------------------------------------------------
	10
8e220a91	11	#include <stdio.h>
8e220a91	12	#include <string.h>
902cb3c0	13	#include "proxmark3.h"
41dab153	14	#include "data.h"
41dab153	15	#include "ui.h"
7fe9b0b7	16	#include "cmdparser.h"
7fe9b0b7	17	#include "cmdhflegic.h"
669c1b80	18	#include "cmdmain.h"
31d1caa5	19	#include "util.h"
7fe9b0b7	20	static int CmdHelp(const char *Cmd);
7fe9b0b7	21
669c1b80	22	/*
	23	* Output BigBuf and deobfuscate LEGIC RF tag data.
	24	* This is based on information given in the talk held
	25	* by Henryk Ploetz and Karsten Nohl at 26c3
669c1b80	26	*/
	27	int CmdLegicDecode(const char *Cmd)
	28	{
52cf34c1	29	int i, j, k, n;
	30	int segment_len = 0;
	31	int segment_flag = 0;
	32	int stamp_len = 0;
	33	int crc = 0;
	34	int wrp = 0;
	35	int wrc = 0;
	36	uint8_t data_buf[3076]; // receiver buffer
	37	char out_string[3076]; // just use big buffer - bad practice
	38	char token_type[4];
	39
	40	// copy data from proxmark into buffer
	41	GetFromBigBuf(data_buf,sizeof(data_buf),0);
	42	WaitForResponse(CMD_ACK,NULL);
	43
	44	// Output CDF System area (9 bytes) plus remaining header area (12 bytes)
	45
	46	PrintAndLog("\nCDF: System Area");
	47
	48	PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
	49	data_buf[0],
	50	data_buf[1],
	51	data_buf[2],
	52	data_buf[3],
	53	data_buf[4]
	54	);
	55
	56	crc = data_buf[4];
669c1b80	57
52cf34c1	58	switch (data_buf[5]&0x7f) {
	59	case 0x00 ... 0x2f:
	60	strncpy(token_type, "IAM",sizeof(token_type));
	61	break;
	62	case 0x30 ... 0x6f:
	63	strcpy(token_type, "SAM");
	64	break;
	65	case 0x70 ... 0x7f:
	66	strcpy(token_type, "GAM");
	67	break;
	68	default:
	69	strcpy(token_type, "???");
	70	break;
	71	}
	72
	73	stamp_len = 0xfc - data_buf[6];
	74
	75	PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
	76	data_buf[5],
	77	data_buf[6],
	78	token_type,
	79	(data_buf[5]&0x80)>>7,
	80	stamp_len
	81	);
	82
	83	PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
	84	data_buf[7]&0x0f,
	85	(data_buf[7]&0x70)>>4,
	86	(data_buf[7]&0x80)>>7,
	87	data_buf[7],
	88	data_buf[8]
	89	);
	90
	91	PrintAndLog("Remaining Header Area");
	92	PrintAndLog("%s", sprint_hex(data_buf+9, 13));
	93	PrintAndLog("\nADF: User Area");
669c1b80	94
52cf34c1	95	i = 22;
	96	for ( n=0; n<64; n++ ) {
	97	segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
	98	segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
	99
	100	wrp = (data_buf[i+2]^crc);
	101	wrc = ((data_buf[i+3]^crc)&0x70)>>4;
	102
	103	PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
	104	n,
	105	data_buf[i]^crc,
	106	data_buf[i+1]^crc,
	107	data_buf[i+2]^crc,
	108	data_buf[i+3]^crc,
	109	segment_flag,
	110	(segment_flag&0x4)>>2,
	111	(segment_flag&0x8)>>3,
	112	segment_len,
	113	wrp,
	114	wrc,
	115	((data_buf[i+3]^crc)&0x80)>>7,
	116	(data_buf[i+4]^crc)
	117	);
	118
	119	i+=5;
669c1b80	120
52cf34c1	121	if ( wrc>0 ) {
	122	PrintAndLog("WRC protected area:");
	123	for ( k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
	124	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	125	out_string[j+2] = ' ';
	126	}
	127
	128	out_string[j] = '\0';
	129
	130	PrintAndLog("%s", out_string);
	131	}
669c1b80	132
52cf34c1	133	if ( wrp>wrc ) {
	134	PrintAndLog("Remaining write protected area:");
	135
	136	for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
	137	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	138	out_string[j+2] = ' ';
	139	};
	140
	141	out_string[j] = '\0';
	142
	143	PrintAndLog("%s", out_string);
	144	if( (wrp-wrc) == 8 ) {
	145	sprintf(out_string, "Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
	146	PrintAndLog("%s", out_string);
	147	}
	148	}
669c1b80	149
52cf34c1	150	PrintAndLog("Remaining segment payload:");
	151	for ( k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
	152	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	153	out_string[j+2] = ' ';
	154	};
669c1b80	155
52cf34c1	156	out_string[j] = '\0';
669c1b80	157
52cf34c1	158	PrintAndLog("%s", out_string);
669c1b80	159
52cf34c1	160	// end with last segment
	161	if (segment_flag & 0x8) return 0;
	162
	163	} // end for loop
	164	return 0;
669c1b80	165	}
41dab153	166
52cf34c1	167	int CmdLegicRFRead(const char *Cmd) {
	168	int byte_count=0, offset=0;
	169	sscanf(Cmd, "%i %i", &offset, &byte_count);
	170	if(byte_count == 0) byte_count = -1;
	171	if(byte_count + offset > 1024) byte_count = 1024 - offset;
	172
	173	UsbCommand c= {CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
	174	clearCommandBuffer();
	175	SendCommand(&c);
	176	return 0;
41dab153	177	}
3612a8a8	178
52cf34c1	179	int CmdLegicLoad(const char *Cmd) {
b915fda3	180	char filename[FILE_PATH_SIZE] = {0x00};
	181	int len = 0;
	182
52cf34c1	183	char cmdp = param_getchar(Cmd, 0);
52cf34c1	184	if ( cmdp == 'H' \|\| cmdp == 'h' \|\| cmdp == 0x00) {
e7d099dc	185	PrintAndLog("It loads datasamples from the file `filename` to device memory");
b915fda3	186	PrintAndLog("Usage: hf legic load <file name>");
	187	PrintAndLog(" sample: hf legic load filename");
	188	return 0;
	189	}
	190
	191	len = strlen(Cmd);
	192	if (len > FILE_PATH_SIZE) {
	193	PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
	194	return 0;
	195	}
	196	memcpy(filename, Cmd, len);
	197
	198	FILE *f = fopen(filename, "r");
3612a8a8	199	if(!f) {
	200	PrintAndLog("couldn't open '%s'", Cmd);
	201	return -1;
	202	}
52cf34c1	203
52cf34c1	204	char line[80];
810f5379	205	int offset = 0;
52cf34c1	206	uint32_t data[8] = {0x00};
	207
	208	while ( fgets(line, sizeof(line), f) ) {
3612a8a8	209	int res = sscanf(line, "%x %x %x %x %x %x %x %x",
	210	&data[0], &data[1], &data[2], &data[3],
	211	&data[4], &data[5], &data[6], &data[7]);
e7d099dc	212
3612a8a8	213	if(res != 8) {
	214	PrintAndLog("Error: could not read samples");
	215	fclose(f);
	216	return -1;
	217	}
52cf34c1	218
e7d099dc	219	UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
	220	memcpy(c.d.asBytes, data, 8);
	221	clearCommandBuffer();
3612a8a8	222	SendCommand(&c);
902cb3c0	223	WaitForResponse(CMD_ACK, NULL);
3612a8a8	224	offset += 8;
	225	}
	226	fclose(f);
	227	PrintAndLog("loaded %u samples", offset);
	228	return 0;
	229	}
	230
52cf34c1	231	int CmdLegicSave(const char *Cmd) {
	232	int requested = 1024;
	233	int offset = 0;
	234	int delivered = 0;
	235	char filename[FILE_PATH_SIZE];
	236	uint8_t got[1024] = {0x00};
	237
	238	sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
	239
	240	/* If no length given save entire legic read buffer */
	241	/* round up to nearest 8 bytes so the saved data can be used with legicload */
e7d099dc	242	if (requested == 0)
52cf34c1	243	requested = 1024;
52cf34c1	244
	245	if (requested % 8 != 0) {
	246	int remainder = requested % 8;
	247	requested = requested + 8 - remainder;
	248	}
	249
	250	if (offset + requested > sizeof(got)) {
	251	PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
	252	return 0;
	253	}
	254
	255	FILE *f = fopen(filename, "w");
	256	if(!f) {
	257	PrintAndLog("couldn't open '%s'", Cmd+1);
	258	return -1;
	259	}
	260
	261	GetFromBigBuf(got,requested,offset);
	262	WaitForResponse(CMD_ACK,NULL);
	263
	264	for (int j = 0; j < requested; j += 8) {
	265	fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
	266	got[j+0],
	267	got[j+1],
	268	got[j+2],
	269	got[j+3],
	270	got[j+4],
	271	got[j+5],
	272	got[j+6],
	273	got[j+7]
	274	);
	275	delivered += 8;
	276	if (delivered >= requested) break;
	277	}
	278
	279	fclose(f);
	280	PrintAndLog("saved %u samples", delivered);
	281	return 0;
3612a8a8	282	}
3612a8a8	283
52cf34c1	284	int CmdLegicRfSim(const char *Cmd) {
	285	UsbCommand c= {CMD_SIMULATE_TAG_LEGIC_RF, {6,3,0}};
	286	sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
	287	clearCommandBuffer();
	288	SendCommand(&c);
	289	return 0;
3612a8a8	290	}
3612a8a8	291
52cf34c1	292	int CmdLegicRfWrite(const char *Cmd) {
52cf34c1	293	UsbCommand c = {CMD_WRITER_LEGIC_RF};
125a98a1	294	int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
3612a8a8	295	if(res != 2) {
	296	PrintAndLog("Please specify the offset and length as two hex strings");
	297	return -1;
	298	}
52cf34c1	299	clearCommandBuffer();
3612a8a8	300	SendCommand(&c);
	301	return 0;
	302	}
	303
52cf34c1	304	int CmdLegicRfFill(const char *Cmd) {
52cf34c1	305	UsbCommand cmd = {CMD_WRITER_LEGIC_RF};
1a07fd51	306	int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
3612a8a8	307	if(res != 3) {
	308	PrintAndLog("Please specify the offset, length and value as two hex strings");
	309	return -1;
	310	}
	311
	312	int i;
52cf34c1	313	UsbCommand c = {CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
3612a8a8	314	for(i = 0; i < 48; i++) {
52cf34c1	315	c.d.asBytes[i] = cmd.arg[2];
3612a8a8	316	}
52cf34c1	317
	318	for(i = 0; i < 22; i++) {
	319	c.arg[0] = i*48;
	320	SendCommand(&c);
	321	WaitForResponse(CMD_ACK,NULL);
	322	}
	323	clearCommandBuffer();
3612a8a8	324	SendCommand(&cmd);
	325	return 0;
	326	}
	327
52cf34c1	328	static command_t CommandTable[] = {
	329	{"help", CmdHelp, 1, "This help"},
	330	{"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
	331	{"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
	332	{"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
	333	{"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
	334	{"sim", CmdLegicRfSim, 0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
	335	{"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
	336	{"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
	337	{NULL, NULL, 0, NULL}
	338	};
	339
	340	int CmdHFLegic(const char *Cmd) {
	341	clearCommandBuffer();
	342	CmdsParse(CommandTable, Cmd);
	343	return 0;
	344	}
	345
	346	int CmdHelp(const char *Cmd) {
	347	CmdsHelp(CommandTable);
	348	return 0;
	349	}