]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhflegic.c
There is no proof this fix anything. This could just be out of randomness or subtle...
[proxmark3-svn] / client / cmdhflegic.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency Legic commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 #include "proxusb.h"
14 #include "data.h"
15 #include "ui.h"
16 #include "cmdparser.h"
17 #include "cmdhflegic.h"
18 #include "cmdmain.h"
19
20 static int CmdHelp(const char *Cmd);
21
22 static command_t CommandTable[] =
23 {
24 {"help", CmdHelp, 1, "This help"},
25 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
26 {"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
27 {NULL, NULL, 0, NULL}
28 };
29
30 int CmdHFLegic(const char *Cmd)
31 {
32 CmdsParse(CommandTable, Cmd);
33 return 0;
34 }
35
36 int CmdHelp(const char *Cmd)
37 {
38 CmdsHelp(CommandTable);
39 return 0;
40 }
41
42 /*
43 * Output BigBuf and deobfuscate LEGIC RF tag data.
44 * This is based on information given in the talk held
45 * by Henryk Ploetz and Karsten Nohl at 26c3
46 */
47 int CmdLegicDecode(const char *Cmd)
48 {
49 int h, i, j, k, n;
50 int segment_len = 0;
51 int segment_flag = 0;
52 int stamp_len = 0;
53 int crc = 0;
54 int wrp = 0;
55 int wrc = 0;
56 int data_buf[1032]; // receiver buffer
57 char out_string[3076]; // just use big buffer - bad practice
58 char token_type[4];
59 int delivered = 0;
60
61 h = 0;
62
63 // copy data from proxmark into buffer
64 for (i = 0; i < 256; i += 12, h += 48) {
65 UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}};
66 SendCommand(&c);
67 WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K);
68
69 for (j = 0; j < 48; j += 8) {
70 for (k = 0; k < 8; k++) {
71 data_buf[h+j+k] = sample_buf[j+k];
72 }
73 delivered += 8;
74 if (delivered >= 1024)
75 break;
76 }
77 }
78
79 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
80
81 PrintAndLog("\nCDF: System Area");
82
83 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
84 data_buf[0],
85 data_buf[1],
86 data_buf[2],
87 data_buf[3],
88 data_buf[4]
89 );
90
91 crc = data_buf[4];
92
93 switch (data_buf[5]&0x7f) {
94 case 0x00 ... 0x2f:
95 strncpy(token_type, "IAM",sizeof(token_type));
96 break;
97 case 0x30 ... 0x6f:
98 strcpy(token_type, "SAM");
99 break;
100 case 0x70 ... 0x7f:
101 strcpy(token_type, "GAM");
102 break;
103 default:
104 strcpy(token_type, "???");
105 break;
106 }
107
108 stamp_len = 0xfc - data_buf[6];
109
110 PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
111 data_buf[5],
112 data_buf[6],
113 token_type,
114 (data_buf[5]&0x80)>>7,
115 stamp_len
116 );
117
118 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
119 data_buf[7]&0x0f,
120 (data_buf[7]&0x70)>>4,
121 (data_buf[7]&0x80)>>7,
122 data_buf[7],
123 data_buf[8]
124 );
125
126 PrintAndLog("Remaining Header Area");
127
128 PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
129 data_buf[9],
130 data_buf[10],
131 data_buf[11],
132 data_buf[12],
133 data_buf[13],
134 data_buf[14],
135 data_buf[15],
136 data_buf[16],
137 data_buf[17],
138 data_buf[18],
139 data_buf[19],
140 data_buf[20],
141 data_buf[21]
142 );
143
144 PrintAndLog("\nADF: User Area");
145
146 i = 22;
147 for (n=0; n<64; n++) {
148 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
149 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
150
151 wrp = (data_buf[i+2]^crc);
152 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
153
154 PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
155 n,
156 data_buf[i]^crc,
157 data_buf[i+1]^crc,
158 data_buf[i+2]^crc,
159 data_buf[i+3]^crc,
160 segment_flag,
161 (segment_flag&0x4)>>2,
162 (segment_flag&0x8)>>3,
163 segment_len,
164 wrp,
165 wrc,
166 ((data_buf[i+3]^crc)&0x80)>>7,
167 (data_buf[i+4]^crc)
168 );
169
170 i+=5;
171
172 if (wrc>0) {
173 PrintAndLog("WRC protected area:");
174 for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
175 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
176 out_string[j+2] = ' ';
177 };
178
179 out_string[j] = '\0';
180
181 PrintAndLog("%s", out_string);
182 }
183
184 if (wrp>wrc) {
185 PrintAndLog("Remaining write protected area:");
186
187 for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
188 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
189 out_string[j+2] = ' ';
190 };
191
192 out_string[j] = '\0';
193
194 PrintAndLog("%s", out_string);
195 if((wrp-wrc) == 8) {
196 sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
197 PrintAndLog("%s", out_string);
198 }
199 }
200
201 PrintAndLog("Remaining segment payload:");
202 for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
203 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
204 out_string[j+2] = ' ';
205 };
206
207 out_string[j] = '\0';
208
209 PrintAndLog("%s", out_string);
210
211 // end with last segment
212 if (segment_flag & 0x8)
213 return 0;
214 };
215 return 0;
216 }
217
218 int CmdLegicRFRead(const char *Cmd)
219 {
220 int byte_count=0,offset=0;
221 sscanf(Cmd, "%i %i", &offset, &byte_count);
222 if(byte_count == 0) byte_count = -1;
223 if(byte_count + offset > 1024) byte_count = 1024 - offset;
224 UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
225 SendCommand(&c);
226 return 0;
227 }
Impressum, Datenschutz