]>
Commit | Line | Data |
---|---|---|
1 | //----------------------------------------------------------------------------- | |
2 | // Copyright (C) 2010 iZsh <izsh at fail0verflow.com> | |
3 | // | |
4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
5 | // at your option, any later version. See the LICENSE.txt file for the text of | |
6 | // the license. | |
7 | //----------------------------------------------------------------------------- | |
8 | // High frequency Legic commands | |
9 | //----------------------------------------------------------------------------- | |
10 | ||
11 | #include <stdio.h> | |
12 | #include <string.h> | |
13 | #include "proxusb.h" | |
14 | #include "data.h" | |
15 | #include "ui.h" | |
16 | #include "cmdparser.h" | |
17 | #include "cmdhflegic.h" | |
18 | #include "cmdmain.h" | |
19 | ||
20 | static int CmdHelp(const char *Cmd); | |
21 | ||
22 | static command_t CommandTable[] = | |
23 | { | |
24 | {"help", CmdHelp, 1, "This help"}, | |
25 | {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"}, | |
26 | {"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"}, | |
27 | {NULL, NULL, 0, NULL} | |
28 | }; | |
29 | ||
30 | int CmdHFLegic(const char *Cmd) | |
31 | { | |
32 | CmdsParse(CommandTable, Cmd); | |
33 | return 0; | |
34 | } | |
35 | ||
36 | int CmdHelp(const char *Cmd) | |
37 | { | |
38 | CmdsHelp(CommandTable); | |
39 | return 0; | |
40 | } | |
41 | ||
42 | /* | |
43 | * Output BigBuf and deobfuscate LEGIC RF tag data. | |
44 | * This is based on information given in the talk held | |
45 | * by Henryk Ploetz and Karsten Nohl at 26c3 | |
46 | */ | |
47 | int CmdLegicDecode(const char *Cmd) | |
48 | { | |
49 | int h, i, j, k, n; | |
50 | int segment_len = 0; | |
51 | int segment_flag = 0; | |
52 | int stamp_len = 0; | |
53 | int crc = 0; | |
54 | int wrp = 0; | |
55 | int wrc = 0; | |
56 | int data_buf[1032]; // receiver buffer | |
57 | char out_string[3076]; // just use big buffer - bad practice | |
58 | char token_type[4]; | |
59 | int delivered = 0; | |
60 | ||
61 | h = 0; | |
62 | ||
63 | // copy data from proxmark into buffer | |
64 | for (i = 0; i < 256; i += 12, h += 48) { | |
65 | UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}}; | |
66 | SendCommand(&c); | |
67 | WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K); | |
68 | ||
69 | for (j = 0; j < 48; j += 8) { | |
70 | for (k = 0; k < 8; k++) { | |
71 | data_buf[h+j+k] = sample_buf[j+k]; | |
72 | } | |
73 | delivered += 8; | |
74 | if (delivered >= 1024) | |
75 | break; | |
76 | } | |
77 | } | |
78 | ||
79 | // Output CDF System area (9 bytes) plus remaining header area (12 bytes) | |
80 | ||
81 | PrintAndLog("\nCDF: System Area"); | |
82 | ||
83 | PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x", | |
84 | data_buf[0], | |
85 | data_buf[1], | |
86 | data_buf[2], | |
87 | data_buf[3], | |
88 | data_buf[4] | |
89 | ); | |
90 | ||
91 | crc = data_buf[4]; | |
92 | ||
93 | switch (data_buf[5]&0x7f) { | |
94 | case 0x00 ... 0x2f: | |
95 | strncpy(token_type, "IAM",sizeof(token_type)); | |
96 | break; | |
97 | case 0x30 ... 0x6f: | |
98 | strcpy(token_type, "SAM"); | |
99 | break; | |
100 | case 0x70 ... 0x7f: | |
101 | strcpy(token_type, "GAM"); | |
102 | break; | |
103 | default: | |
104 | strcpy(token_type, "???"); | |
105 | break; | |
106 | } | |
107 | ||
108 | stamp_len = 0xfc - data_buf[6]; | |
109 | ||
110 | PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u", | |
111 | data_buf[5], | |
112 | data_buf[6], | |
113 | token_type, | |
114 | (data_buf[5]&0x80)>>7, | |
115 | stamp_len | |
116 | ); | |
117 | ||
118 | PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x", | |
119 | data_buf[7]&0x0f, | |
120 | (data_buf[7]&0x70)>>4, | |
121 | (data_buf[7]&0x80)>>7, | |
122 | data_buf[7], | |
123 | data_buf[8] | |
124 | ); | |
125 | ||
126 | PrintAndLog("Remaining Header Area"); | |
127 | ||
128 | PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x", | |
129 | data_buf[9], | |
130 | data_buf[10], | |
131 | data_buf[11], | |
132 | data_buf[12], | |
133 | data_buf[13], | |
134 | data_buf[14], | |
135 | data_buf[15], | |
136 | data_buf[16], | |
137 | data_buf[17], | |
138 | data_buf[18], | |
139 | data_buf[19], | |
140 | data_buf[20], | |
141 | data_buf[21] | |
142 | ); | |
143 | ||
144 | PrintAndLog("\nADF: User Area"); | |
145 | ||
146 | i = 22; | |
147 | for (n=0; n<64; n++) { | |
148 | segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc); | |
149 | segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4; | |
150 | ||
151 | wrp = (data_buf[i+2]^crc); | |
152 | wrc = ((data_buf[i+3]^crc)&0x70)>>4; | |
153 | ||
154 | PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x", | |
155 | n, | |
156 | data_buf[i]^crc, | |
157 | data_buf[i+1]^crc, | |
158 | data_buf[i+2]^crc, | |
159 | data_buf[i+3]^crc, | |
160 | segment_flag, | |
161 | (segment_flag&0x4)>>2, | |
162 | (segment_flag&0x8)>>3, | |
163 | segment_len, | |
164 | wrp, | |
165 | wrc, | |
166 | ((data_buf[i+3]^crc)&0x80)>>7, | |
167 | (data_buf[i+4]^crc) | |
168 | ); | |
169 | ||
170 | i+=5; | |
171 | ||
172 | if (wrc>0) { | |
173 | PrintAndLog("WRC protected area:"); | |
174 | for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) { | |
175 | sprintf(&out_string[j], "%02x", (data_buf[i]^crc)); | |
176 | out_string[j+2] = ' '; | |
177 | }; | |
178 | ||
179 | out_string[j] = '\0'; | |
180 | ||
181 | PrintAndLog("%s", out_string); | |
182 | } | |
183 | ||
184 | if (wrp>wrc) { | |
185 | PrintAndLog("Remaining write protected area:"); | |
186 | ||
187 | for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) { | |
188 | sprintf(&out_string[j], "%02x", (data_buf[i]^crc)); | |
189 | out_string[j+2] = ' '; | |
190 | }; | |
191 | ||
192 | out_string[j] = '\0'; | |
193 | ||
194 | PrintAndLog("%s", out_string); | |
195 | if((wrp-wrc) == 8) { | |
196 | sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc); | |
197 | PrintAndLog("%s", out_string); | |
198 | } | |
199 | } | |
200 | ||
201 | PrintAndLog("Remaining segment payload:"); | |
202 | for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) { | |
203 | sprintf(&out_string[j], "%02x", (data_buf[i]^crc)); | |
204 | out_string[j+2] = ' '; | |
205 | }; | |
206 | ||
207 | out_string[j] = '\0'; | |
208 | ||
209 | PrintAndLog("%s", out_string); | |
210 | ||
211 | // end with last segment | |
212 | if (segment_flag & 0x8) | |
213 | return 0; | |
214 | }; | |
215 | return 0; | |
216 | } | |
217 | ||
218 | int CmdLegicRFRead(const char *Cmd) | |
219 | { | |
220 | int byte_count=0,offset=0; | |
221 | sscanf(Cmd, "%i %i", &offset, &byte_count); | |
222 | if(byte_count == 0) byte_count = -1; | |
223 | if(byte_count + offset > 1024) byte_count = 1024 - offset; | |
224 | UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}}; | |
225 | SendCommand(&c); | |
226 | return 0; | |
227 | } |