]> git.zerfleddert.de Git - proxmark3-svn/blame - client/cmdhflegic.c
ADD: changed the annotation for 14b, it now shows WUPB/REQB and number of slots we...
[proxmark3-svn] / client / cmdhflegic.c
CommitLineData
a553f267 1//-----------------------------------------------------------------------------
2// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// High frequency Legic commands
9//-----------------------------------------------------------------------------
10
8e220a91 11#include <stdio.h>
12#include <string.h>
902cb3c0 13#include "proxmark3.h"
41dab153 14#include "data.h"
15#include "ui.h"
7fe9b0b7 16#include "cmdparser.h"
17#include "cmdhflegic.h"
669c1b80 18#include "cmdmain.h"
31d1caa5 19#include "util.h"
3b920280 20#include "crc.h"
7fe9b0b7 21static int CmdHelp(const char *Cmd);
22
3b920280 23int usage_legic_calccrc8(void){
24 PrintAndLog("Calculates the legic crc8 on the input hexbytes.");
25 PrintAndLog("There must be an even number of hexsymbols as input.");
26 PrintAndLog("Usage: hf legic crc8 <hexbytes>");
27 PrintAndLog("Options :");
28 PrintAndLog(" <hexbytes> : hex bytes in a string");
29 PrintAndLog("");
30 PrintAndLog("Sample : hf legic crc8 deadbeef1122");
31 return 0;
32}
33
e579e768 34int usage_legic_load(void){
35 PrintAndLog("It loads datasamples from the file `filename` to device memory");
36 PrintAndLog("Usage: hf legic load <file name>");
37 PrintAndLog(" sample: hf legic load filename");
38 return 0;
39}
40
669c1b80 41/*
42 * Output BigBuf and deobfuscate LEGIC RF tag data.
43 * This is based on information given in the talk held
44 * by Henryk Ploetz and Karsten Nohl at 26c3
669c1b80 45 */
3b920280 46int CmdLegicDecode(const char *Cmd) {
d7fd9084 47 // Index for the bytearray.
48 int i = 0;
49 int k = 0, segmentNum;
52cf34c1 50 int segment_len = 0;
51 int segment_flag = 0;
60bb5ef7 52 uint8_t stamp_len = 0;
52cf34c1 53 int crc = 0;
54 int wrp = 0;
55 int wrc = 0;
d7fd9084 56 uint8_t data_buf[1200]; // receiver buffer, should be 1024..
52cf34c1 57 char token_type[4];
58
59 // copy data from proxmark into buffer
f7f844d0 60 GetFromBigBuf(data_buf, sizeof(data_buf), 0);
61 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
62 PrintAndLog("Command execute timeout");
63 return 1;
64 }
65
52cf34c1 66 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
3b920280 67 crc = data_buf[4];
68 uint32_t calc_crc = CRC8Legic(data_buf, 4);
69
52cf34c1 70 PrintAndLog("\nCDF: System Area");
aacb96d7 71 PrintAndLog("------------------------------------------------------");
3b920280 72 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x %s",
52cf34c1 73 data_buf[0],
74 data_buf[1],
75 data_buf[2],
76 data_buf[3],
3b920280 77 data_buf[4],
e579e768 78 (calc_crc == crc) ? "OK":"Fail"
52cf34c1 79 );
669c1b80 80
d7fd9084 81 switch (data_buf[5] & 0x7f) {
52cf34c1 82 case 0x00 ... 0x2f:
83 strncpy(token_type, "IAM",sizeof(token_type));
84 break;
85 case 0x30 ... 0x6f:
d7fd9084 86 strncpy(token_type, "SAM",sizeof(token_type));
52cf34c1 87 break;
88 case 0x70 ... 0x7f:
d7fd9084 89 strncpy(token_type, "GAM",sizeof(token_type));
52cf34c1 90 break;
91 default:
d7fd9084 92 strncpy(token_type, "???",sizeof(token_type));
52cf34c1 93 break;
94 }
95
96 stamp_len = 0xfc - data_buf[6];
97
9827020a 98 PrintAndLog("DCF: %02x %02x, Token Type=%s (OLE=%01u), Stamp len=%02u",
52cf34c1 99 data_buf[5],
100 data_buf[6],
101 token_type,
102 (data_buf[5]&0x80)>>7,
103 stamp_len
104 );
105
106 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
107 data_buf[7]&0x0f,
108 (data_buf[7]&0x70)>>4,
109 (data_buf[7]&0x80)>>7,
110 data_buf[7],
111 data_buf[8]
112 );
113
114 PrintAndLog("Remaining Header Area");
115 PrintAndLog("%s", sprint_hex(data_buf+9, 13));
d7fd9084 116
e579e768 117 uint8_t segCrcBytes[8] = {0x00};
118 uint32_t segCalcCRC = 0;
119 uint32_t segCRC = 0;
d7fd9084 120
aacb96d7 121 // see if user area is xored or just zeros.
122 int numOfZeros = 0;
123 for (int index=22; index < 256; ++index){
124 if ( data_buf[index] == 0x00 )
125 ++numOfZeros;
126 }
127 // if possible zeros is less then 60%, lets assume data is xored
128 // 256 - 22 (header) = 234
129 // 1024 - 22 (header) = 1002
130 int isXored = (numOfZeros*100/stamp_len) < 50;
131 PrintAndLog("is data xored? %d ( %d %)", isXored, (numOfZeros*100/stamp_len));
132
133 print_hex_break( data_buf, 33, 16);
134
d7fd9084 135 PrintAndLog("\nADF: User Area");
aacb96d7 136 PrintAndLog("------------------------------------------------------");
d7fd9084 137 i = 22;
138 // 64 potential segements
f7f844d0 139 // how to detect there is no segments?!?
d7fd9084 140 for ( segmentNum=0; segmentNum<64; segmentNum++ ) {
52cf34c1 141 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
142 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
143
144 wrp = (data_buf[i+2]^crc);
145 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
146
d7fd9084 147 bool hasWRC = (wrc > 0);
148 bool hasWRP = (wrp > wrc);
149 int wrp_len = (wrp - wrc);
150 int remain_seg_payload_len = (segment_len - wrp - 5);
e579e768 151
d7fd9084 152 // validate segment-crc
153 segCrcBytes[0]=data_buf[0]; //uid0
154 segCrcBytes[1]=data_buf[1]; //uid1
155 segCrcBytes[2]=data_buf[2]; //uid2
156 segCrcBytes[3]=data_buf[3]; //uid3
157 segCrcBytes[4]=(data_buf[i]^crc); //hdr0
e579e768 158 segCrcBytes[5]=(data_buf[i+1]^crc); //hdr1
159 segCrcBytes[6]=(data_buf[i+2]^crc); //hdr2
160 segCrcBytes[7]=(data_buf[i+3]^crc); //hdr3
d7fd9084 161
e579e768 162 segCalcCRC = CRC8Legic(segCrcBytes, 8);
d7fd9084 163 segCRC = data_buf[i+4]^crc;
e579e768 164
aacb96d7 165 PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)",
d7fd9084 166 segmentNum,
52cf34c1 167 data_buf[i]^crc,
168 data_buf[i+1]^crc,
169 data_buf[i+2]^crc,
170 data_buf[i+3]^crc,
9827020a 171 segment_len,
52cf34c1 172 segment_flag,
d7fd9084 173 (segment_flag & 0x4) >> 2,
174 (segment_flag & 0x8) >> 3,
52cf34c1 175 wrp,
176 wrc,
d7fd9084 177 ((data_buf[i+3]^crc) & 0x80) >> 7,
e579e768 178 segCRC,
179 ( segCRC == segCalcCRC ) ? "OK" : "fail"
52cf34c1 180 );
181
3b920280 182 i += 5;
669c1b80 183
d7fd9084 184 if ( hasWRC ) {
185 PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc);
aacb96d7 186 PrintAndLog("\nrow | data");
187 PrintAndLog("-----+------------------------------------------------");
a182a680 188 // de-xor? if not zero, assume it needs xoring.
aacb96d7 189 if ( isXored) {
a182a680 190 for ( k=i; k < wrc; ++k)
191 data_buf[k] ^= crc;
192 }
9827020a 193 print_hex_break( data_buf+i, wrc, 16);
3b920280 194
195 i += wrc;
52cf34c1 196 }
669c1b80 197
d7fd9084 198 if ( hasWRP ) {
199 PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len);
aacb96d7 200 PrintAndLog("\nrow | data");
201 PrintAndLog("-----+------------------------------------------------");
d7fd9084 202
aacb96d7 203 if (isXored) {
a182a680 204 for (k=i; k < wrp_len; ++k)
9827020a 205 data_buf[k] ^= crc;
206 }
3b920280 207
9827020a 208 print_hex_break( data_buf+i, wrp_len, 16);
3b920280 209
d7fd9084 210 i += wrp_len;
211
a182a680 212 // does this one work?
9827020a 213 if( wrp_len == 8 )
214 PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
52cf34c1 215 }
669c1b80 216
a182a680 217 PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len);
aacb96d7 218 PrintAndLog("\nrow | data");
219 PrintAndLog("-----+------------------------------------------------");
220 if ( isXored ) {
a182a680 221 for ( k=i; k < remain_seg_payload_len; ++k)
9827020a 222 data_buf[k] ^= crc;
223 }
3b920280 224
9827020a 225 print_hex_break( data_buf+i, remain_seg_payload_len, 16);
669c1b80 226
d7fd9084 227 i += remain_seg_payload_len;
228
aacb96d7 229 PrintAndLog("-----+------------------------------------------------\n");
a182a680 230
52cf34c1 231 // end with last segment
232 if (segment_flag & 0x8) return 0;
233
234 } // end for loop
235 return 0;
669c1b80 236}
41dab153 237
52cf34c1 238int CmdLegicRFRead(const char *Cmd) {
239 int byte_count=0, offset=0;
240 sscanf(Cmd, "%i %i", &offset, &byte_count);
241 if(byte_count == 0) byte_count = -1;
242 if(byte_count + offset > 1024) byte_count = 1024 - offset;
243
244 UsbCommand c= {CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
245 clearCommandBuffer();
246 SendCommand(&c);
247 return 0;
41dab153 248}
3612a8a8 249
52cf34c1 250int CmdLegicLoad(const char *Cmd) {
b915fda3 251
52cf34c1 252 char cmdp = param_getchar(Cmd, 0);
e579e768 253 if ( cmdp == 'H' || cmdp == 'h' || cmdp == 0x00) return usage_legic_load();
b915fda3 254
e579e768 255 char filename[FILE_PATH_SIZE] = {0x00};
256 int len = strlen(Cmd);
257
b915fda3 258 if (len > FILE_PATH_SIZE) {
259 PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
260 return 0;
261 }
262 memcpy(filename, Cmd, len);
263
264 FILE *f = fopen(filename, "r");
3612a8a8 265 if(!f) {
266 PrintAndLog("couldn't open '%s'", Cmd);
267 return -1;
268 }
52cf34c1 269
270 char line[80];
810f5379 271 int offset = 0;
c6e0a2eb 272 uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
273 int index = 0;
274 int totalbytes = 0;
52cf34c1 275 while ( fgets(line, sizeof(line), f) ) {
3612a8a8 276 int res = sscanf(line, "%x %x %x %x %x %x %x %x",
c6e0a2eb 277 (unsigned int *)&data[index],
278 (unsigned int *)&data[index + 1],
279 (unsigned int *)&data[index + 2],
280 (unsigned int *)&data[index + 3],
281 (unsigned int *)&data[index + 4],
282 (unsigned int *)&data[index + 5],
283 (unsigned int *)&data[index + 6],
284 (unsigned int *)&data[index + 7]);
e7d099dc 285
3612a8a8 286 if(res != 8) {
287 PrintAndLog("Error: could not read samples");
288 fclose(f);
289 return -1;
290 }
c6e0a2eb 291 index += res;
292
293 if ( index == USB_CMD_DATA_SIZE ){
294// PrintAndLog("sent %d | %d | %d", index, offset, totalbytes);
295 UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
296 memcpy(c.d.asBytes, data, sizeof(data));
297 clearCommandBuffer();
298 SendCommand(&c);
d7fd9084 299 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){
300 PrintAndLog("Command execute timeout");
301 fclose(f);
302 return 1;
303 }
c6e0a2eb 304 offset += index;
305 totalbytes += index;
306 index = 0;
307 }
3612a8a8 308 }
309 fclose(f);
c6e0a2eb 310
311 // left over bytes?
312 if ( index != 0 ) {
313 UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
314 memcpy(c.d.asBytes, data, 8);
315 clearCommandBuffer();
316 SendCommand(&c);
d7fd9084 317 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){
318 PrintAndLog("Command execute timeout");
319 return 1;
320 }
c6e0a2eb 321 totalbytes += index;
322 }
323
324 PrintAndLog("loaded %u samples", totalbytes);
3612a8a8 325 return 0;
326}
327
52cf34c1 328int CmdLegicSave(const char *Cmd) {
329 int requested = 1024;
330 int offset = 0;
331 int delivered = 0;
332 char filename[FILE_PATH_SIZE];
333 uint8_t got[1024] = {0x00};
334
335 sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
336
337 /* If no length given save entire legic read buffer */
338 /* round up to nearest 8 bytes so the saved data can be used with legicload */
e7d099dc 339 if (requested == 0)
52cf34c1 340 requested = 1024;
52cf34c1 341
342 if (requested % 8 != 0) {
343 int remainder = requested % 8;
344 requested = requested + 8 - remainder;
345 }
346
347 if (offset + requested > sizeof(got)) {
348 PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
349 return 0;
350 }
351
d7fd9084 352 GetFromBigBuf(got, requested, offset);
f7f844d0 353 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
aacb96d7 354 PrintAndLog("Command execute timeout");
f7f844d0 355 return 1;
356 }
52cf34c1 357
aacb96d7 358 FILE *f = fopen(filename, "w");
359 if(!f) {
360 PrintAndLog("couldn't open '%s'", Cmd+1);
361 return -1;
362 }
363
52cf34c1 364 for (int j = 0; j < requested; j += 8) {
365 fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
c6e0a2eb 366 got[j+0], got[j+1], got[j+2], got[j+3],
367 got[j+4], got[j+5], got[j+6], got[j+7]
52cf34c1 368 );
369 delivered += 8;
370 if (delivered >= requested) break;
371 }
372
373 fclose(f);
374 PrintAndLog("saved %u samples", delivered);
375 return 0;
3612a8a8 376}
377
f7f844d0 378//TODO: write a help text (iceman)
52cf34c1 379int CmdLegicRfSim(const char *Cmd) {
3b920280 380 UsbCommand c = {CMD_SIMULATE_TAG_LEGIC_RF, {6,3,0}};
52cf34c1 381 sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
382 clearCommandBuffer();
383 SendCommand(&c);
384 return 0;
3612a8a8 385}
386
f7f844d0 387//TODO: write a help text (iceman)
52cf34c1 388int CmdLegicRfWrite(const char *Cmd) {
389 UsbCommand c = {CMD_WRITER_LEGIC_RF};
125a98a1 390 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
3612a8a8 391 if(res != 2) {
392 PrintAndLog("Please specify the offset and length as two hex strings");
393 return -1;
394 }
52cf34c1 395 clearCommandBuffer();
3612a8a8 396 SendCommand(&c);
397 return 0;
398}
399
52cf34c1 400int CmdLegicRfFill(const char *Cmd) {
401 UsbCommand cmd = {CMD_WRITER_LEGIC_RF};
1a07fd51 402 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
3612a8a8 403 if(res != 3) {
404 PrintAndLog("Please specify the offset, length and value as two hex strings");
405 return -1;
406 }
407
408 int i;
52cf34c1 409 UsbCommand c = {CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
3612a8a8 410 for(i = 0; i < 48; i++) {
52cf34c1 411 c.d.asBytes[i] = cmd.arg[2];
3612a8a8 412 }
52cf34c1 413
414 for(i = 0; i < 22; i++) {
415 c.arg[0] = i*48;
416 SendCommand(&c);
417 WaitForResponse(CMD_ACK,NULL);
418 }
419 clearCommandBuffer();
3612a8a8 420 SendCommand(&cmd);
421 return 0;
422 }
423
3b920280 424int CmdLegicCalcCrc8(const char *Cmd){
425
426 int len = strlen(Cmd);
6cf8fcb0 427 if ( len & 1 ) return usage_legic_calccrc8();
3b920280 428
aacb96d7 429 // add 1 for null terminator.
430 uint8_t *data = malloc(len+1);
3b920280 431 if ( data == NULL ) return 1;
432
eb5206bd 433 if (param_gethex(Cmd, 0, data, len )) {
434 free(data);
435 return usage_legic_calccrc8();
436 }
3b920280 437
438 uint32_t checksum = CRC8Legic(data, len/2);
439 PrintAndLog("Bytes: %s || CRC8: %X", sprint_hex(data, len/2), checksum );
440 free(data);
441 return 0;
442}
443
52cf34c1 444static command_t CommandTable[] = {
3b920280 445 {"help", CmdHelp, 1, "This help"},
446 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
447 {"read", CmdLegicRFRead, 0, "[offset][length] -- read bytes from a LEGIC card"},
448 {"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
449 {"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
450 {"sim", CmdLegicRfSim, 0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
451 {"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
452 {"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
453 {"crc8", CmdLegicCalcCrc8, 1, "Calculate Legic CRC8 over given hexbytes"},
52cf34c1 454 {NULL, NULL, 0, NULL}
455};
456
457int CmdHFLegic(const char *Cmd) {
458 clearCommandBuffer();
459 CmdsParse(CommandTable, Cmd);
460 return 0;
461}
462
463int CmdHelp(const char *Cmd) {
464 CmdsHelp(CommandTable);
465 return 0;
466}
Impressum, Datenschutz