]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhflegic.c
CHG: a bit code clean up,
[proxmark3-svn] / client / cmdhflegic.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency Legic commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 #include "proxmark3.h"
14 #include "data.h"
15 #include "ui.h"
16 #include "cmdparser.h"
17 #include "cmdhflegic.h"
18 #include "cmdmain.h"
19 #include "util.h"
20 #include "crc.h"
21 static int CmdHelp(const char *Cmd);
22
23 int usage_legic_calccrc8(void){
24 PrintAndLog("Calculates the legic crc8 on the input hexbytes.");
25 PrintAndLog("There must be an even number of hexsymbols as input.");
26 PrintAndLog("Usage: hf legic crc8 <hexbytes>");
27 PrintAndLog("Options :");
28 PrintAndLog(" <hexbytes> : hex bytes in a string");
29 PrintAndLog("");
30 PrintAndLog("Sample : hf legic crc8 deadbeef1122");
31 return 0;
32 }
33
34 int usage_legic_load(void){
35 PrintAndLog("It loads datasamples from the file `filename` to device memory");
36 PrintAndLog("Usage: hf legic load <file name>");
37 PrintAndLog(" sample: hf legic load filename");
38 return 0;
39 }
40
41 /*
42 * Output BigBuf and deobfuscate LEGIC RF tag data.
43 * This is based on information given in the talk held
44 * by Henryk Ploetz and Karsten Nohl at 26c3
45 */
46 int CmdLegicDecode(const char *Cmd) {
47 // Index for the bytearray.
48 int i = 0;
49 int k = 0, segmentNum;
50 int segment_len = 0;
51 int segment_flag = 0;
52 uint8_t stamp_len = 0;
53 int crc = 0;
54 int wrp = 0;
55 int wrc = 0;
56 uint8_t data_buf[1200]; // receiver buffer, should be 1024..
57 char token_type[4];
58
59 // copy data from proxmark into buffer
60 GetFromBigBuf(data_buf, sizeof(data_buf), 0);
61 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
62 PrintAndLog("Command execute timeout");
63 return 1;
64 }
65
66 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
67 crc = data_buf[4];
68 uint32_t calc_crc = CRC8Legic(data_buf, 4);
69
70 PrintAndLog("\nCDF: System Area");
71 PrintAndLog("------------------------------------------------------");
72 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x %s",
73 data_buf[0],
74 data_buf[1],
75 data_buf[2],
76 data_buf[3],
77 data_buf[4],
78 (calc_crc == crc) ? "OK":"Fail"
79 );
80
81 switch (data_buf[5] & 0x7f) {
82 case 0x00 ... 0x2f:
83 strncpy(token_type, "IAM",sizeof(token_type));
84 break;
85 case 0x30 ... 0x6f:
86 strncpy(token_type, "SAM",sizeof(token_type));
87 break;
88 case 0x70 ... 0x7f:
89 strncpy(token_type, "GAM",sizeof(token_type));
90 break;
91 default:
92 strncpy(token_type, "???",sizeof(token_type));
93 break;
94 }
95
96 stamp_len = 0xfc - data_buf[6];
97
98 PrintAndLog("DCF: %02x %02x, Token Type=%s (OLE=%01u), Stamp len=%02u",
99 data_buf[5],
100 data_buf[6],
101 token_type,
102 (data_buf[5]&0x80)>>7,
103 stamp_len
104 );
105
106 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
107 data_buf[7]&0x0f,
108 (data_buf[7]&0x70)>>4,
109 (data_buf[7]&0x80)>>7,
110 data_buf[7],
111 data_buf[8]
112 );
113
114 PrintAndLog("Remaining Header Area");
115 PrintAndLog("%s", sprint_hex(data_buf+9, 13));
116
117 uint8_t segCrcBytes[8] = {0x00};
118 uint32_t segCalcCRC = 0;
119 uint32_t segCRC = 0;
120
121 // see if user area is xored or just zeros.
122 int numOfZeros = 0;
123 for (int index=22; index < 256; ++index){
124 if ( data_buf[index] == 0x00 )
125 ++numOfZeros;
126 }
127 // if possible zeros is less then 60%, lets assume data is xored
128 // 256 - 22 (header) = 234
129 // 1024 - 22 (header) = 1002
130 int isXored = (numOfZeros*100/stamp_len) < 50;
131 PrintAndLog("is data xored? %d ( %d %)", isXored, (numOfZeros*100/stamp_len));
132
133 print_hex_break( data_buf, 33, 16);
134
135 PrintAndLog("\nADF: User Area");
136 PrintAndLog("------------------------------------------------------");
137 i = 22;
138 // 64 potential segements
139 // how to detect there is no segments?!?
140 for ( segmentNum=0; segmentNum<64; segmentNum++ ) {
141 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
142 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
143
144 wrp = (data_buf[i+2]^crc);
145 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
146
147 bool hasWRC = (wrc > 0);
148 bool hasWRP = (wrp > wrc);
149 int wrp_len = (wrp - wrc);
150 int remain_seg_payload_len = (segment_len - wrp - 5);
151
152 // validate segment-crc
153 segCrcBytes[0]=data_buf[0]; //uid0
154 segCrcBytes[1]=data_buf[1]; //uid1
155 segCrcBytes[2]=data_buf[2]; //uid2
156 segCrcBytes[3]=data_buf[3]; //uid3
157 segCrcBytes[4]=(data_buf[i]^crc); //hdr0
158 segCrcBytes[5]=(data_buf[i+1]^crc); //hdr1
159 segCrcBytes[6]=(data_buf[i+2]^crc); //hdr2
160 segCrcBytes[7]=(data_buf[i+3]^crc); //hdr3
161
162 segCalcCRC = CRC8Legic(segCrcBytes, 8);
163 segCRC = data_buf[i+4]^crc;
164
165 PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)",
166 segmentNum,
167 data_buf[i]^crc,
168 data_buf[i+1]^crc,
169 data_buf[i+2]^crc,
170 data_buf[i+3]^crc,
171 segment_len,
172 segment_flag,
173 (segment_flag & 0x4) >> 2,
174 (segment_flag & 0x8) >> 3,
175 wrp,
176 wrc,
177 ((data_buf[i+3]^crc) & 0x80) >> 7,
178 segCRC,
179 ( segCRC == segCalcCRC ) ? "OK" : "fail"
180 );
181
182 i += 5;
183
184 if ( hasWRC ) {
185 PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc);
186 PrintAndLog("\nrow | data");
187 PrintAndLog("-----+------------------------------------------------");
188 // de-xor? if not zero, assume it needs xoring.
189 if ( isXored) {
190 for ( k=i; k < wrc; ++k)
191 data_buf[k] ^= crc;
192 }
193 print_hex_break( data_buf+i, wrc, 16);
194
195 i += wrc;
196 }
197
198 if ( hasWRP ) {
199 PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len);
200 PrintAndLog("\nrow | data");
201 PrintAndLog("-----+------------------------------------------------");
202
203 if (isXored) {
204 for (k=i; k < wrp_len; ++k)
205 data_buf[k] ^= crc;
206 }
207
208 print_hex_break( data_buf+i, wrp_len, 16);
209
210 i += wrp_len;
211
212 // does this one work?
213 if( wrp_len == 8 )
214 PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
215 }
216
217 PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len);
218 PrintAndLog("\nrow | data");
219 PrintAndLog("-----+------------------------------------------------");
220 if ( isXored ) {
221 for ( k=i; k < remain_seg_payload_len; ++k)
222 data_buf[k] ^= crc;
223 }
224
225 print_hex_break( data_buf+i, remain_seg_payload_len, 16);
226
227 i += remain_seg_payload_len;
228
229 PrintAndLog("-----+------------------------------------------------\n");
230
231 // end with last segment
232 if (segment_flag & 0x8) return 0;
233
234 } // end for loop
235 return 0;
236 }
237
238 int CmdLegicRFRead(const char *Cmd) {
239 int byte_count=0, offset=0;
240 sscanf(Cmd, "%i %i", &offset, &byte_count);
241 if(byte_count == 0) byte_count = -1;
242 if(byte_count + offset > 1024) byte_count = 1024 - offset;
243
244 UsbCommand c= {CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
245 clearCommandBuffer();
246 SendCommand(&c);
247 return 0;
248 }
249
250 int CmdLegicLoad(const char *Cmd) {
251
252 char cmdp = param_getchar(Cmd, 0);
253 if ( cmdp == 'H' || cmdp == 'h' || cmdp == 0x00) return usage_legic_load();
254
255 char filename[FILE_PATH_SIZE] = {0x00};
256 int len = strlen(Cmd);
257
258 if (len > FILE_PATH_SIZE) {
259 PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
260 return 0;
261 }
262 memcpy(filename, Cmd, len);
263
264 FILE *f = fopen(filename, "r");
265 if(!f) {
266 PrintAndLog("couldn't open '%s'", Cmd);
267 return -1;
268 }
269
270 char line[80];
271 int offset = 0;
272 uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
273 int index = 0;
274 int totalbytes = 0;
275 while ( fgets(line, sizeof(line), f) ) {
276 int res = sscanf(line, "%x %x %x %x %x %x %x %x",
277 (unsigned int *)&data[index],
278 (unsigned int *)&data[index + 1],
279 (unsigned int *)&data[index + 2],
280 (unsigned int *)&data[index + 3],
281 (unsigned int *)&data[index + 4],
282 (unsigned int *)&data[index + 5],
283 (unsigned int *)&data[index + 6],
284 (unsigned int *)&data[index + 7]);
285
286 if(res != 8) {
287 PrintAndLog("Error: could not read samples");
288 fclose(f);
289 return -1;
290 }
291 index += res;
292
293 if ( index == USB_CMD_DATA_SIZE ){
294 // PrintAndLog("sent %d | %d | %d", index, offset, totalbytes);
295 UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
296 memcpy(c.d.asBytes, data, sizeof(data));
297 clearCommandBuffer();
298 SendCommand(&c);
299 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){
300 PrintAndLog("Command execute timeout");
301 fclose(f);
302 return 1;
303 }
304 offset += index;
305 totalbytes += index;
306 index = 0;
307 }
308 }
309 fclose(f);
310
311 // left over bytes?
312 if ( index != 0 ) {
313 UsbCommand c = { CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
314 memcpy(c.d.asBytes, data, 8);
315 clearCommandBuffer();
316 SendCommand(&c);
317 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){
318 PrintAndLog("Command execute timeout");
319 return 1;
320 }
321 totalbytes += index;
322 }
323
324 PrintAndLog("loaded %u samples", totalbytes);
325 return 0;
326 }
327
328 int CmdLegicSave(const char *Cmd) {
329 int requested = 1024;
330 int offset = 0;
331 int delivered = 0;
332 char filename[FILE_PATH_SIZE];
333 uint8_t got[1024] = {0x00};
334
335 sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
336
337 /* If no length given save entire legic read buffer */
338 /* round up to nearest 8 bytes so the saved data can be used with legicload */
339 if (requested == 0)
340 requested = 1024;
341
342 if (requested % 8 != 0) {
343 int remainder = requested % 8;
344 requested = requested + 8 - remainder;
345 }
346
347 if (offset + requested > sizeof(got)) {
348 PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
349 return 0;
350 }
351
352 GetFromBigBuf(got, requested, offset);
353 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
354 PrintAndLog("Command execute timeout");
355 return 1;
356 }
357
358 FILE *f = fopen(filename, "w");
359 if(!f) {
360 PrintAndLog("couldn't open '%s'", Cmd+1);
361 return -1;
362 }
363
364 for (int j = 0; j < requested; j += 8) {
365 fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
366 got[j+0], got[j+1], got[j+2], got[j+3],
367 got[j+4], got[j+5], got[j+6], got[j+7]
368 );
369 delivered += 8;
370 if (delivered >= requested) break;
371 }
372
373 fclose(f);
374 PrintAndLog("saved %u samples", delivered);
375 return 0;
376 }
377
378 //TODO: write a help text (iceman)
379 int CmdLegicRfSim(const char *Cmd) {
380 UsbCommand c = {CMD_SIMULATE_TAG_LEGIC_RF, {6,3,0}};
381 sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
382 clearCommandBuffer();
383 SendCommand(&c);
384 return 0;
385 }
386
387 //TODO: write a help text (iceman)
388 int CmdLegicRfWrite(const char *Cmd) {
389 UsbCommand c = {CMD_WRITER_LEGIC_RF};
390 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
391 if(res != 2) {
392 PrintAndLog("Please specify the offset and length as two hex strings");
393 return -1;
394 }
395 clearCommandBuffer();
396 SendCommand(&c);
397 return 0;
398 }
399
400 int CmdLegicRfFill(const char *Cmd) {
401 UsbCommand cmd = {CMD_WRITER_LEGIC_RF};
402 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
403 if(res != 3) {
404 PrintAndLog("Please specify the offset, length and value as two hex strings");
405 return -1;
406 }
407
408 int i;
409 UsbCommand c = {CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
410 for(i = 0; i < 48; i++) {
411 c.d.asBytes[i] = cmd.arg[2];
412 }
413
414 for(i = 0; i < 22; i++) {
415 c.arg[0] = i*48;
416 SendCommand(&c);
417 WaitForResponse(CMD_ACK,NULL);
418 }
419 clearCommandBuffer();
420 SendCommand(&cmd);
421 return 0;
422 }
423
424 int CmdLegicCalcCrc8(const char *Cmd){
425
426 int len = strlen(Cmd);
427 if ( len & 1 ) return usage_legic_calccrc8();
428
429 // add 1 for null terminator.
430 uint8_t *data = malloc(len+1);
431 if ( data == NULL ) return 1;
432
433 if (param_gethex(Cmd, 0, data, len )) {
434 free(data);
435 return usage_legic_calccrc8();
436 }
437
438 uint32_t checksum = CRC8Legic(data, len/2);
439 PrintAndLog("Bytes: %s || CRC8: %X", sprint_hex(data, len/2), checksum );
440 free(data);
441 return 0;
442 }
443
444 static command_t CommandTable[] = {
445 {"help", CmdHelp, 1, "This help"},
446 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
447 {"read", CmdLegicRFRead, 0, "[offset][length] -- read bytes from a LEGIC card"},
448 {"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
449 {"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
450 {"sim", CmdLegicRfSim, 0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
451 {"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
452 {"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
453 {"crc8", CmdLegicCalcCrc8, 1, "Calculate Legic CRC8 over given hexbytes"},
454 {NULL, NULL, 0, NULL}
455 };
456
457 int CmdHFLegic(const char *Cmd) {
458 clearCommandBuffer();
459 CmdsParse(CommandTable, Cmd);
460 return 0;
461 }
462
463 int CmdHelp(const char *Cmd) {
464 CmdsHelp(CommandTable);
465 return 0;
466 }
Impressum, Datenschutz