]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhflegic.c
CHG: some timing
[proxmark3-svn] / client / cmdhflegic.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency Legic commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 #include "proxmark3.h"
14 #include "data.h"
15 #include "ui.h"
16 #include "cmdparser.h"
17 #include "cmdhflegic.h"
18 #include "cmdmain.h"
19 #include "util.h"
20 #include "crc.h"
21 static int CmdHelp(const char *Cmd);
22
23 int usage_legic_calccrc8(void){
24 PrintAndLog("Calculates the legic crc8 on the input hexbytes.");
25 PrintAndLog("There must be an even number of hexsymbols as input.");
26 PrintAndLog("Usage: hf legic crc8 <hexbytes>");
27 PrintAndLog("Options :");
28 PrintAndLog(" <hexbytes> : hex bytes in a string");
29 PrintAndLog("");
30 PrintAndLog("Sample : hf legic crc8 deadbeef1122");
31 return 0;
32 }
33
34 int usage_legic_load(void){
35 PrintAndLog("It loads datasamples from the file `filename` to device memory");
36 PrintAndLog("Usage: hf legic load <file name>");
37 PrintAndLog(" sample: hf legic load filename");
38 return 0;
39 }
40
41 /*
42 * Output BigBuf and deobfuscate LEGIC RF tag data.
43 * This is based on information given in the talk held
44 * by Henryk Ploetz and Karsten Nohl at 26c3
45 */
46 int CmdLegicDecode(const char *Cmd) {
47 // Index for the bytearray.
48 int i = 0;
49 int k = 0, segmentNum;
50 int segment_len = 0;
51 int segment_flag = 0;
52 uint8_t stamp_len = 0;
53 int crc = 0;
54 int wrp = 0;
55 int wrc = 0;
56 uint8_t data_buf[1200]; // receiver buffer, should be 1024..
57 char token_type[4];
58
59 // copy data from proxmark into buffer
60 GetFromBigBuf(data_buf, sizeof(data_buf), 0);
61 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
62 PrintAndLog("Command execute timeout");
63 return 1;
64 }
65
66 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
67 crc = data_buf[4];
68 uint32_t calc_crc = CRC8Legic(data_buf, 4);
69
70 PrintAndLog("\nCDF: System Area");
71
72 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x %s",
73 data_buf[0],
74 data_buf[1],
75 data_buf[2],
76 data_buf[3],
77 data_buf[4],
78 (calc_crc == crc) ? "OK":"Fail"
79 );
80
81 switch (data_buf[5] & 0x7f) {
82 case 0x00 ... 0x2f:
83 strncpy(token_type, "IAM",sizeof(token_type));
84 break;
85 case 0x30 ... 0x6f:
86 strncpy(token_type, "SAM",sizeof(token_type));
87 break;
88 case 0x70 ... 0x7f:
89 strncpy(token_type, "GAM",sizeof(token_type));
90 break;
91 default:
92 strncpy(token_type, "???",sizeof(token_type));
93 break;
94 }
95
96 stamp_len = 0xfc - data_buf[6];
97
98 PrintAndLog("DCF: %02x %02x, Token Type=%s (OLE=%01u), Stamp len=%02u",
99 data_buf[5],
100 data_buf[6],
101 token_type,
102 (data_buf[5]&0x80)>>7,
103 stamp_len
104 );
105
106 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
107 data_buf[7]&0x0f,
108 (data_buf[7]&0x70)>>4,
109 (data_buf[7]&0x80)>>7,
110 data_buf[7],
111 data_buf[8]
112 );
113
114 PrintAndLog("Remaining Header Area");
115 PrintAndLog("%s", sprint_hex(data_buf+9, 13));
116
117 uint8_t segCrcBytes[8] = {0x00};
118 uint32_t segCalcCRC = 0;
119 uint32_t segCRC = 0;
120
121 PrintAndLog("\nADF: User Area");
122 printf("-------------------------------------\n");
123 i = 22;
124 // 64 potential segements
125 // how to detect there is no segments?!?
126 for ( segmentNum=0; segmentNum<64; segmentNum++ ) {
127 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
128 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
129
130 wrp = (data_buf[i+2]^crc);
131 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
132
133 bool hasWRC = (wrc > 0);
134 bool hasWRP = (wrp > wrc);
135 int wrp_len = (wrp - wrc);
136 int remain_seg_payload_len = (segment_len - wrp - 5);
137
138 // validate segment-crc
139 segCrcBytes[0]=data_buf[0]; //uid0
140 segCrcBytes[1]=data_buf[1]; //uid1
141 segCrcBytes[2]=data_buf[2]; //uid2
142 segCrcBytes[3]=data_buf[3]; //uid3
143 segCrcBytes[4]=(data_buf[i]^crc); //hdr0
144 segCrcBytes[5]=(data_buf[i+1]^crc); //hdr1
145 segCrcBytes[6]=(data_buf[i+2]^crc); //hdr2
146 segCrcBytes[7]=(data_buf[i+3]^crc); //hdr3
147
148 segCalcCRC = CRC8Legic(segCrcBytes, 8);
149 segCRC = data_buf[i+4]^crc;
150
151 PrintAndLog("Segment %02u \nraw header=0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)",
152 segmentNum,
153 data_buf[i]^crc,
154 data_buf[i+1]^crc,
155 data_buf[i+2]^crc,
156 data_buf[i+3]^crc,
157 segment_len,
158 segment_flag,
159 (segment_flag & 0x4) >> 2,
160 (segment_flag & 0x8) >> 3,
161 wrp,
162 wrc,
163 ((data_buf[i+3]^crc) & 0x80) >> 7,
164 segCRC,
165 ( segCRC == segCalcCRC ) ? "OK" : "fail"
166 );
167
168 i += 5;
169
170 if ( hasWRC ) {
171 PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc);
172
173 // de-xor? if not zero, assume it needs xoring.
174 if ( data_buf[i] > 0) {
175 for ( k=i; k < wrc; ++k)
176 data_buf[k] ^= crc;
177 }
178 print_hex_break( data_buf+i, wrc, 16);
179
180 i += wrc;
181 }
182
183 if ( hasWRP ) {
184 PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len);
185
186 // de-xor? if not zero, assume it needs xoring.
187 if ( data_buf[i] > 0) {
188 for (k=i; k < wrp_len; ++k)
189 data_buf[k] ^= crc;
190 }
191
192 print_hex_break( data_buf+i, wrp_len, 16);
193
194 i += wrp_len;
195
196 // does this one work?
197 if( wrp_len == 8 )
198 PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
199 }
200
201 PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len);
202
203 if ( data_buf[i] > 0 ) {
204 for ( k=i; k < remain_seg_payload_len; ++k)
205 data_buf[k] ^= crc;
206 }
207
208 print_hex_break( data_buf+i, remain_seg_payload_len, 16);
209
210 i += remain_seg_payload_len;
211
212 printf("\n-------------------------------------\n");
213
214 // end with last segment
215 if (segment_flag & 0x8) return 0;
216
217 } // end for loop
218 return 0;
219 }
220
221 int CmdLegicRFRead(const char *Cmd) {
222 int byte_count=0, offset=0;
223 sscanf(Cmd, "%i %i", &offset, &byte_count);
224 if(byte_count == 0) byte_count = -1;
225 if(byte_count + offset > 1024) byte_count = 1024 - offset;
226
227 UsbCommand c= {CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
228 clearCommandBuffer();
229 SendCommand(&c);
230 return 0;
231 }
232
233 int CmdLegicLoad(const char *Cmd) {
234
235 char cmdp = param_getchar(Cmd, 0);
236 if ( cmdp == 'H' || cmdp == 'h' || cmdp == 0x00) return usage_legic_load();
237
238 char filename[FILE_PATH_SIZE] = {0x00};
239 int len = strlen(Cmd);
240
241 if (len > FILE_PATH_SIZE) {
242 PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
243 return 0;
244 }
245 memcpy(filename, Cmd, len);
246
247 FILE *f = fopen(filename, "r");
248 if(!f) {
249 PrintAndLog("couldn't open '%s'", Cmd);
250 return -1;
251 }
252
253 char line[80];
254 int offset = 0;
255 uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
256 int index = 0;
257 int totalbytes = 0;
258 while ( fgets(line, sizeof(line), f) ) {
259 int res = sscanf(line, "%x %x %x %x %x %x %x %x",
260 (unsigned int *)&data[index],
261 (unsigned int *)&data[index + 1],
262 (unsigned int *)&data[index + 2],
263 (unsigned int *)&data[index + 3],
264 (unsigned int *)&data[index + 4],
265 (unsigned int *)&data[index + 5],
266 (unsigned int *)&data[index + 6],
267 (unsigned int *)&data[index + 7]);
268
269 if(res != 8) {
270 PrintAndLog("Error: could not read samples");
271 fclose(f);
272 return -1;
273 }
274 index += res;
275
276 if ( index == USB_CMD_DATA_SIZE ){
277 // PrintAndLog("sent %d | %d | %d", index, offset, totalbytes);
278 UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
279 memcpy(c.d.asBytes, data, sizeof(data));
280 clearCommandBuffer();
281 SendCommand(&c);
282 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){
283 PrintAndLog("Command execute timeout");
284 fclose(f);
285 return 1;
286 }
287 offset += index;
288 totalbytes += index;
289 index = 0;
290 }
291 }
292 fclose(f);
293
294 // left over bytes?
295 if ( index != 0 ) {
296 UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
297 memcpy(c.d.asBytes, data, 8);
298 clearCommandBuffer();
299 SendCommand(&c);
300 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){
301 PrintAndLog("Command execute timeout");
302 return 1;
303 }
304 totalbytes += index;
305 }
306
307 PrintAndLog("loaded %u samples", totalbytes);
308 return 0;
309 }
310
311 int CmdLegicSave(const char *Cmd) {
312 int requested = 1024;
313 int offset = 0;
314 int delivered = 0;
315 char filename[FILE_PATH_SIZE];
316 uint8_t got[1024] = {0x00};
317
318 sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
319
320 /* If no length given save entire legic read buffer */
321 /* round up to nearest 8 bytes so the saved data can be used with legicload */
322 if (requested == 0)
323 requested = 1024;
324
325 if (requested % 8 != 0) {
326 int remainder = requested % 8;
327 requested = requested + 8 - remainder;
328 }
329
330 if (offset + requested > sizeof(got)) {
331 PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
332 return 0;
333 }
334
335 FILE *f = fopen(filename, "w");
336 if(!f) {
337 PrintAndLog("couldn't open '%s'", Cmd+1);
338 return -1;
339 }
340
341 GetFromBigBuf(got, requested, offset);
342 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
343 PrintAndLog("Command execute timeout");
344 return 1;
345 }
346
347 for (int j = 0; j < requested; j += 8) {
348 fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
349 got[j+0], got[j+1], got[j+2], got[j+3],
350 got[j+4], got[j+5], got[j+6], got[j+7]
351 );
352 delivered += 8;
353 if (delivered >= requested) break;
354 }
355
356 fclose(f);
357 PrintAndLog("saved %u samples", delivered);
358 return 0;
359 }
360
361 //TODO: write a help text (iceman)
362 int CmdLegicRfSim(const char *Cmd) {
363 UsbCommand c = {CMD_SIMULATE_TAG_LEGIC_RF, {6,3,0}};
364 sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
365 clearCommandBuffer();
366 SendCommand(&c);
367 return 0;
368 }
369
370 //TODO: write a help text (iceman)
371 int CmdLegicRfWrite(const char *Cmd) {
372 UsbCommand c = {CMD_WRITER_LEGIC_RF};
373 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
374 if(res != 2) {
375 PrintAndLog("Please specify the offset and length as two hex strings");
376 return -1;
377 }
378 clearCommandBuffer();
379 SendCommand(&c);
380 return 0;
381 }
382
383 int CmdLegicRfFill(const char *Cmd) {
384 UsbCommand cmd = {CMD_WRITER_LEGIC_RF};
385 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
386 if(res != 3) {
387 PrintAndLog("Please specify the offset, length and value as two hex strings");
388 return -1;
389 }
390
391 int i;
392 UsbCommand c = {CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
393 for(i = 0; i < 48; i++) {
394 c.d.asBytes[i] = cmd.arg[2];
395 }
396
397 for(i = 0; i < 22; i++) {
398 c.arg[0] = i*48;
399 SendCommand(&c);
400 WaitForResponse(CMD_ACK,NULL);
401 }
402 clearCommandBuffer();
403 SendCommand(&cmd);
404 return 0;
405 }
406
407 int CmdLegicCalcCrc8(const char *Cmd){
408
409 int len = strlen(Cmd);
410 if (len & 1 ) return usage_legic_calccrc8();
411
412 uint8_t *data = malloc(len);
413 if ( data == NULL ) return 1;
414
415 param_gethex(Cmd, 0, data, len );
416
417 uint32_t checksum = CRC8Legic(data, len/2);
418 PrintAndLog("Bytes: %s || CRC8: %X", sprint_hex(data, len/2), checksum );
419 free(data);
420 return 0;
421 }
422
423 static command_t CommandTable[] = {
424 {"help", CmdHelp, 1, "This help"},
425 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
426 {"read", CmdLegicRFRead, 0, "[offset][length] -- read bytes from a LEGIC card"},
427 {"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
428 {"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
429 {"sim", CmdLegicRfSim, 0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
430 {"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
431 {"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
432 {"crc8", CmdLegicCalcCrc8, 1, "Calculate Legic CRC8 over given hexbytes"},
433 {NULL, NULL, 0, NULL}
434 };
435
436 int CmdHFLegic(const char *Cmd) {
437 clearCommandBuffer();
438 CmdsParse(CommandTable, Cmd);
439 return 0;
440 }
441
442 int CmdHelp(const char *Cmd) {
443 CmdsHelp(CommandTable);
444 return 0;
445 }
Impressum, Datenschutz