]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhflegic.c
ADD: added the possibility to choose which block num to attack with "hf mf mifare...
[proxmark3-svn] / client / cmdhflegic.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency Legic commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 #include "proxmark3.h"
14 #include "data.h"
15 #include "ui.h"
16 #include "cmdparser.h"
17 #include "cmdhflegic.h"
18 #include "cmdmain.h"
19 #include "util.h"
20 static int CmdHelp(const char *Cmd);
21
22 /*
23 * Output BigBuf and deobfuscate LEGIC RF tag data.
24 * This is based on information given in the talk held
25 * by Henryk Ploetz and Karsten Nohl at 26c3
26 */
27 int CmdLegicDecode(const char *Cmd)
28 {
29 int i, j, k, n;
30 int segment_len = 0;
31 int segment_flag = 0;
32 int stamp_len = 0;
33 int crc = 0;
34 int wrp = 0;
35 int wrc = 0;
36 uint8_t data_buf[3076]; // receiver buffer
37 char out_string[3076]; // just use big buffer - bad practice
38 char token_type[4];
39
40 // copy data from proxmark into buffer
41 GetFromBigBuf(data_buf,sizeof(data_buf),0);
42 WaitForResponse(CMD_ACK,NULL);
43
44 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
45
46 PrintAndLog("\nCDF: System Area");
47
48 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
49 data_buf[0],
50 data_buf[1],
51 data_buf[2],
52 data_buf[3],
53 data_buf[4]
54 );
55
56 crc = data_buf[4];
57
58 switch (data_buf[5]&0x7f) {
59 case 0x00 ... 0x2f:
60 strncpy(token_type, "IAM",sizeof(token_type));
61 break;
62 case 0x30 ... 0x6f:
63 strcpy(token_type, "SAM");
64 break;
65 case 0x70 ... 0x7f:
66 strcpy(token_type, "GAM");
67 break;
68 default:
69 strcpy(token_type, "???");
70 break;
71 }
72
73 stamp_len = 0xfc - data_buf[6];
74
75 PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
76 data_buf[5],
77 data_buf[6],
78 token_type,
79 (data_buf[5]&0x80)>>7,
80 stamp_len
81 );
82
83 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
84 data_buf[7]&0x0f,
85 (data_buf[7]&0x70)>>4,
86 (data_buf[7]&0x80)>>7,
87 data_buf[7],
88 data_buf[8]
89 );
90
91 PrintAndLog("Remaining Header Area");
92 PrintAndLog("%s", sprint_hex(data_buf+9, 13));
93 PrintAndLog("\nADF: User Area");
94
95 i = 22;
96 for ( n=0; n<64; n++ ) {
97 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
98 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
99
100 wrp = (data_buf[i+2]^crc);
101 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
102
103 PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
104 n,
105 data_buf[i]^crc,
106 data_buf[i+1]^crc,
107 data_buf[i+2]^crc,
108 data_buf[i+3]^crc,
109 segment_flag,
110 (segment_flag&0x4)>>2,
111 (segment_flag&0x8)>>3,
112 segment_len,
113 wrp,
114 wrc,
115 ((data_buf[i+3]^crc)&0x80)>>7,
116 (data_buf[i+4]^crc)
117 );
118
119 i+=5;
120
121 if ( wrc>0 ) {
122 PrintAndLog("WRC protected area:");
123 for ( k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
124 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
125 out_string[j+2] = ' ';
126 }
127
128 out_string[j] = '\0';
129
130 PrintAndLog("%s", out_string);
131 }
132
133 if ( wrp>wrc ) {
134 PrintAndLog("Remaining write protected area:");
135
136 for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
137 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
138 out_string[j+2] = ' ';
139 };
140
141 out_string[j] = '\0';
142
143 PrintAndLog("%s", out_string);
144 if( (wrp-wrc) == 8 ) {
145 sprintf(out_string, "Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
146 PrintAndLog("%s", out_string);
147 }
148 }
149
150 PrintAndLog("Remaining segment payload:");
151 for ( k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
152 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
153 out_string[j+2] = ' ';
154 };
155
156 out_string[j] = '\0';
157
158 PrintAndLog("%s", out_string);
159
160 // end with last segment
161 if (segment_flag & 0x8) return 0;
162
163 } // end for loop
164 return 0;
165 }
166
167 int CmdLegicRFRead(const char *Cmd) {
168 int byte_count=0, offset=0;
169 sscanf(Cmd, "%i %i", &offset, &byte_count);
170 if(byte_count == 0) byte_count = -1;
171 if(byte_count + offset > 1024) byte_count = 1024 - offset;
172
173 UsbCommand c= {CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
174 clearCommandBuffer();
175 SendCommand(&c);
176 return 0;
177 }
178
179 int CmdLegicLoad(const char *Cmd) {
180 char filename[FILE_PATH_SIZE] = {0x00};
181 int len = 0;
182
183 char cmdp = param_getchar(Cmd, 0);
184 if ( cmdp == 'H' || cmdp == 'h' || cmdp == 0x00) {
185 PrintAndLog("It loads datasamples from the file `filename` to device memory");
186 PrintAndLog("Usage: hf legic load <file name>");
187 PrintAndLog(" sample: hf legic load filename");
188 return 0;
189 }
190
191 len = strlen(Cmd);
192 if (len > FILE_PATH_SIZE) {
193 PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
194 return 0;
195 }
196 memcpy(filename, Cmd, len);
197
198 FILE *f = fopen(filename, "r");
199 if(!f) {
200 PrintAndLog("couldn't open '%s'", Cmd);
201 return -1;
202 }
203
204 char line[80];
205 int offset = 0;
206 uint32_t data[8] = {0x00};
207
208 while ( fgets(line, sizeof(line), f) ) {
209 int res = sscanf(line, "%x %x %x %x %x %x %x %x",
210 &data[0], &data[1], &data[2], &data[3],
211 &data[4], &data[5], &data[6], &data[7]);
212
213 if(res != 8) {
214 PrintAndLog("Error: could not read samples");
215 fclose(f);
216 return -1;
217 }
218
219 UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
220 memcpy(c.d.asBytes, data, 8);
221 clearCommandBuffer();
222 SendCommand(&c);
223 WaitForResponse(CMD_ACK, NULL);
224 offset += 8;
225 }
226 fclose(f);
227 PrintAndLog("loaded %u samples", offset);
228 return 0;
229 }
230
231 int CmdLegicSave(const char *Cmd) {
232 int requested = 1024;
233 int offset = 0;
234 int delivered = 0;
235 char filename[FILE_PATH_SIZE];
236 uint8_t got[1024] = {0x00};
237
238 sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
239
240 /* If no length given save entire legic read buffer */
241 /* round up to nearest 8 bytes so the saved data can be used with legicload */
242 if (requested == 0)
243 requested = 1024;
244
245 if (requested % 8 != 0) {
246 int remainder = requested % 8;
247 requested = requested + 8 - remainder;
248 }
249
250 if (offset + requested > sizeof(got)) {
251 PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
252 return 0;
253 }
254
255 FILE *f = fopen(filename, "w");
256 if(!f) {
257 PrintAndLog("couldn't open '%s'", Cmd+1);
258 return -1;
259 }
260
261 GetFromBigBuf(got,requested,offset);
262 WaitForResponse(CMD_ACK,NULL);
263
264 for (int j = 0; j < requested; j += 8) {
265 fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
266 got[j+0],
267 got[j+1],
268 got[j+2],
269 got[j+3],
270 got[j+4],
271 got[j+5],
272 got[j+6],
273 got[j+7]
274 );
275 delivered += 8;
276 if (delivered >= requested) break;
277 }
278
279 fclose(f);
280 PrintAndLog("saved %u samples", delivered);
281 return 0;
282 }
283
284 int CmdLegicRfSim(const char *Cmd) {
285 UsbCommand c= {CMD_SIMULATE_TAG_LEGIC_RF, {6,3,0}};
286 sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
287 clearCommandBuffer();
288 SendCommand(&c);
289 return 0;
290 }
291
292 int CmdLegicRfWrite(const char *Cmd) {
293 UsbCommand c = {CMD_WRITER_LEGIC_RF};
294 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
295 if(res != 2) {
296 PrintAndLog("Please specify the offset and length as two hex strings");
297 return -1;
298 }
299 clearCommandBuffer();
300 SendCommand(&c);
301 return 0;
302 }
303
304 int CmdLegicRfFill(const char *Cmd) {
305 UsbCommand cmd = {CMD_WRITER_LEGIC_RF};
306 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
307 if(res != 3) {
308 PrintAndLog("Please specify the offset, length and value as two hex strings");
309 return -1;
310 }
311
312 int i;
313 UsbCommand c = {CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
314 for(i = 0; i < 48; i++) {
315 c.d.asBytes[i] = cmd.arg[2];
316 }
317
318 for(i = 0; i < 22; i++) {
319 c.arg[0] = i*48;
320 SendCommand(&c);
321 WaitForResponse(CMD_ACK,NULL);
322 }
323 clearCommandBuffer();
324 SendCommand(&cmd);
325 return 0;
326 }
327
328 static command_t CommandTable[] = {
329 {"help", CmdHelp, 1, "This help"},
330 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
331 {"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
332 {"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
333 {"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
334 {"sim", CmdLegicRfSim, 0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
335 {"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
336 {"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
337 {NULL, NULL, 0, NULL}
338 };
339
340 int CmdHFLegic(const char *Cmd) {
341 clearCommandBuffer();
342 CmdsParse(CommandTable, Cmd);
343 return 0;
344 }
345
346 int CmdHelp(const char *Cmd) {
347 CmdsHelp(CommandTable);
348 return 0;
349 }
Impressum, Datenschutz