]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhflegic.c
Finishing touches on new mifare classic hack rework
[proxmark3-svn] / client / cmdhflegic.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency Legic commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 //#include "proxusb.h"
14 #include "proxmark3.h"
15 #include "data.h"
16 #include "ui.h"
17 #include "cmdparser.h"
18 #include "cmdhflegic.h"
19 #include "cmdmain.h"
20
21 static int CmdHelp(const char *Cmd);
22
23 static command_t CommandTable[] =
24 {
25 {"help", CmdHelp, 1, "This help"},
26 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
27 {"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
28 {"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
29 {"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
30 {"sim", CmdLegicRfSim, 0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
31 {"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
32 {"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
33 {NULL, NULL, 0, NULL}
34 };
35
36 int CmdHFLegic(const char *Cmd)
37 {
38 CmdsParse(CommandTable, Cmd);
39 return 0;
40 }
41
42 int CmdHelp(const char *Cmd)
43 {
44 CmdsHelp(CommandTable);
45 return 0;
46 }
47
48 /*
49 * Output BigBuf and deobfuscate LEGIC RF tag data.
50 * This is based on information given in the talk held
51 * by Henryk Ploetz and Karsten Nohl at 26c3
52 */
53 int CmdLegicDecode(const char *Cmd)
54 {
55 int h, i, j, k, n;
56 int segment_len = 0;
57 int segment_flag = 0;
58 int stamp_len = 0;
59 int crc = 0;
60 int wrp = 0;
61 int wrc = 0;
62 int data_buf[1032]; // receiver buffer
63 char out_string[3076]; // just use big buffer - bad practice
64 char token_type[4];
65 int delivered = 0;
66
67 h = 0;
68
69 // copy data from proxmark into buffer
70 for (i = 0; i < 256; i += 12, h += 48) {
71 UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}};
72 SendCommand(&c);
73 WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, NULL);
74
75 for (j = 0; j < 48; j += 8) {
76 for (k = 0; k < 8; k++) {
77 data_buf[h+j+k] = sample_buf[j+k];
78 }
79 delivered += 8;
80 if (delivered >= 1024)
81 break;
82 }
83 }
84
85 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
86
87 PrintAndLog("\nCDF: System Area");
88
89 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
90 data_buf[0],
91 data_buf[1],
92 data_buf[2],
93 data_buf[3],
94 data_buf[4]
95 );
96
97 crc = data_buf[4];
98
99 switch (data_buf[5]&0x7f) {
100 case 0x00 ... 0x2f:
101 strncpy(token_type, "IAM",sizeof(token_type));
102 break;
103 case 0x30 ... 0x6f:
104 strcpy(token_type, "SAM");
105 break;
106 case 0x70 ... 0x7f:
107 strcpy(token_type, "GAM");
108 break;
109 default:
110 strcpy(token_type, "???");
111 break;
112 }
113
114 stamp_len = 0xfc - data_buf[6];
115
116 PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
117 data_buf[5],
118 data_buf[6],
119 token_type,
120 (data_buf[5]&0x80)>>7,
121 stamp_len
122 );
123
124 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
125 data_buf[7]&0x0f,
126 (data_buf[7]&0x70)>>4,
127 (data_buf[7]&0x80)>>7,
128 data_buf[7],
129 data_buf[8]
130 );
131
132 PrintAndLog("Remaining Header Area");
133
134 PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
135 data_buf[9],
136 data_buf[10],
137 data_buf[11],
138 data_buf[12],
139 data_buf[13],
140 data_buf[14],
141 data_buf[15],
142 data_buf[16],
143 data_buf[17],
144 data_buf[18],
145 data_buf[19],
146 data_buf[20],
147 data_buf[21]
148 );
149
150 PrintAndLog("\nADF: User Area");
151
152 i = 22;
153 for (n=0; n<64; n++) {
154 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
155 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
156
157 wrp = (data_buf[i+2]^crc);
158 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
159
160 PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
161 n,
162 data_buf[i]^crc,
163 data_buf[i+1]^crc,
164 data_buf[i+2]^crc,
165 data_buf[i+3]^crc,
166 segment_flag,
167 (segment_flag&0x4)>>2,
168 (segment_flag&0x8)>>3,
169 segment_len,
170 wrp,
171 wrc,
172 ((data_buf[i+3]^crc)&0x80)>>7,
173 (data_buf[i+4]^crc)
174 );
175
176 i+=5;
177
178 if (wrc>0) {
179 PrintAndLog("WRC protected area:");
180 for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
181 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
182 out_string[j+2] = ' ';
183 };
184
185 out_string[j] = '\0';
186
187 PrintAndLog("%s", out_string);
188 }
189
190 if (wrp>wrc) {
191 PrintAndLog("Remaining write protected area:");
192
193 for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
194 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
195 out_string[j+2] = ' ';
196 };
197
198 out_string[j] = '\0';
199
200 PrintAndLog("%s", out_string);
201 if((wrp-wrc) == 8) {
202 sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
203 PrintAndLog("%s", out_string);
204 }
205 }
206
207 PrintAndLog("Remaining segment payload:");
208 for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
209 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
210 out_string[j+2] = ' ';
211 };
212
213 out_string[j] = '\0';
214
215 PrintAndLog("%s", out_string);
216
217 // end with last segment
218 if (segment_flag & 0x8)
219 return 0;
220 };
221 return 0;
222 }
223
224 int CmdLegicRFRead(const char *Cmd)
225 {
226 int byte_count=0,offset=0;
227 sscanf(Cmd, "%i %i", &offset, &byte_count);
228 if(byte_count == 0) byte_count = -1;
229 if(byte_count + offset > 1024) byte_count = 1024 - offset;
230 UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
231 SendCommand(&c);
232 return 0;
233 }
234
235 int CmdLegicLoad(const char *Cmd)
236 {
237 FILE *f = fopen(Cmd, "r");
238 if(!f) {
239 PrintAndLog("couldn't open '%s'", Cmd);
240 return -1;
241 }
242 char line[80]; int offset = 0; unsigned int data[8];
243 while(fgets(line, sizeof(line), f)) {
244 int res = sscanf(line, "%x %x %x %x %x %x %x %x",
245 &data[0], &data[1], &data[2], &data[3],
246 &data[4], &data[5], &data[6], &data[7]);
247 if(res != 8) {
248 PrintAndLog("Error: could not read samples");
249 fclose(f);
250 return -1;
251 }
252 UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
253 int j; for(j = 0; j < 8; j++) {
254 c.d.asBytes[j] = data[j];
255 }
256 SendCommand(&c);
257 WaitForResponse(CMD_ACK, NULL);
258 offset += 8;
259 }
260 fclose(f);
261 PrintAndLog("loaded %u samples", offset);
262 return 0;
263 }
264
265 int CmdLegicSave(const char *Cmd)
266 {
267 int n;
268 int requested = 1024;
269 int offset = 0;
270 char filename[1024];
271 sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
272 if (offset % 4 != 0) {
273 PrintAndLog("Offset must be a multiple of 4");
274 return 0;
275 }
276 offset = offset/4;
277
278 int delivered = 0;
279
280 if (requested == 0) {
281 n = 12;
282 requested = 12;
283 } else {
284 n = requested/4;
285 }
286
287 FILE *f = fopen(filename, "w");
288 if(!f) {
289 PrintAndLog("couldn't open '%s'", Cmd+1);
290 return -1;
291 }
292
293 for (int i = offset; i < n+offset; i += 12) {
294 UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}};
295 SendCommand(&c);
296 WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, NULL);
297 for (int j = 0; j < 48; j += 8) {
298 fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
299 sample_buf[j+0],
300 sample_buf[j+1],
301 sample_buf[j+2],
302 sample_buf[j+3],
303 sample_buf[j+4],
304 sample_buf[j+5],
305 sample_buf[j+6],
306 sample_buf[j+7]
307 );
308 delivered += 8;
309 if (delivered >= requested)
310 break;
311 }
312 if (delivered >= requested)
313 break;
314 }
315
316 fclose(f);
317 PrintAndLog("saved %u samples", delivered);
318 return 0;
319 }
320
321 int CmdLegicRfSim(const char *Cmd)
322 {
323 UsbCommand c={CMD_SIMULATE_TAG_LEGIC_RF};
324 c.arg[0] = 6;
325 c.arg[1] = 3;
326 c.arg[2] = 0;
327 sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
328 SendCommand(&c);
329 return 0;
330 }
331
332 int CmdLegicRfWrite(const char *Cmd)
333 {
334 UsbCommand c={CMD_WRITER_LEGIC_RF};
335 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
336 if(res != 2) {
337 PrintAndLog("Please specify the offset and length as two hex strings");
338 return -1;
339 }
340 SendCommand(&c);
341 return 0;
342 }
343
344 int CmdLegicRfFill(const char *Cmd)
345 {
346 UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
347 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
348 if(res != 3) {
349 PrintAndLog("Please specify the offset, length and value as two hex strings");
350 return -1;
351 }
352
353 int i;
354 UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
355 for(i = 0; i < 48; i++) {
356 c.d.asBytes[i] = cmd.arg[2];
357 }
358 for(i = 0; i < 22; i++) {
359 c.arg[0] = i*48;
360 SendCommand(&c);
361 WaitForResponse(CMD_ACK,NULL);
362 }
363 SendCommand(&cmd);
364 return 0;
365 }
366
Impressum, Datenschutz