+int usage_legic_calccrc8(void){
+ PrintAndLog("Calculates the legic crc8 on the input hexbytes.");
+ PrintAndLog("There must be an even number of hexsymbols as input.");
+ PrintAndLog("Usage: hf legic crc8 <hexbytes>");
+ PrintAndLog("Options :");
+ PrintAndLog(" <hexbytes> : hex bytes in a string");
+ PrintAndLog("");
+ PrintAndLog("Sample : hf legic crc8 deadbeef1122");
+ return 0;
+}
+
+int usage_legic_load(void){
+ PrintAndLog("It loads datasamples from the file `filename` to device memory");
+ PrintAndLog("Usage: hf legic load <file name>");
+ PrintAndLog(" sample: hf legic load filename");
+ return 0;
+}
+
+/*
+ * Output BigBuf and deobfuscate LEGIC RF tag data.
+ * This is based on information given in the talk held
+ * by Henryk Ploetz and Karsten Nohl at 26c3
+ */
+int CmdLegicDecode(const char *Cmd) {
+ // Index for the bytearray.
+ int i = 0;
+ int k = 0, segmentNum;
+ int segment_len = 0;
+ int segment_flag = 0;
+ uint8_t stamp_len = 0;
+ int crc = 0;
+ int wrp = 0;
+ int wrc = 0;
+ uint8_t data_buf[1200]; // receiver buffer, should be 1024..
+ char token_type[4];
+
+ // copy data from proxmark into buffer
+ GetFromBigBuf(data_buf,sizeof(data_buf),0);
+ WaitForResponse(CMD_ACK,NULL);
+
+ // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
+ crc = data_buf[4];
+ uint32_t calc_crc = CRC8Legic(data_buf, 4);
+
+ PrintAndLog("\nCDF: System Area");
+
+ PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x %s",
+ data_buf[0],
+ data_buf[1],
+ data_buf[2],
+ data_buf[3],
+ data_buf[4],
+ (calc_crc == crc) ? "OK":"Fail"
+ );
+
+ switch (data_buf[5] & 0x7f) {
+ case 0x00 ... 0x2f:
+ strncpy(token_type, "IAM",sizeof(token_type));
+ break;
+ case 0x30 ... 0x6f:
+ strncpy(token_type, "SAM",sizeof(token_type));
+ break;
+ case 0x70 ... 0x7f:
+ strncpy(token_type, "GAM",sizeof(token_type));
+ break;
+ default:
+ strncpy(token_type, "???",sizeof(token_type));
+ break;
+ }
+
+ stamp_len = 0xfc - data_buf[6];
+
+ PrintAndLog("DCF: %02x %02x, Token Type=%s (OLE=%01u), Stamp len=%02u",
+ data_buf[5],
+ data_buf[6],
+ token_type,
+ (data_buf[5]&0x80)>>7,
+ stamp_len
+ );
+
+ PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
+ data_buf[7]&0x0f,
+ (data_buf[7]&0x70)>>4,
+ (data_buf[7]&0x80)>>7,
+ data_buf[7],
+ data_buf[8]
+ );
+
+ PrintAndLog("Remaining Header Area");
+ PrintAndLog("%s", sprint_hex(data_buf+9, 13));
+
+ uint8_t segCrcBytes[8] = {0x00};
+ uint32_t segCalcCRC = 0;
+ uint32_t segCRC = 0;
+
+ PrintAndLog("\nADF: User Area");
+ printf("-------------------------------------\n");
+ i = 22;
+ // 64 potential segements
+ for ( segmentNum=0; segmentNum<64; segmentNum++ ) {
+ segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
+ segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
+
+ wrp = (data_buf[i+2]^crc);
+ wrc = ((data_buf[i+3]^crc)&0x70)>>4;
+
+ bool hasWRC = (wrc > 0);
+ bool hasWRP = (wrp > wrc);
+ int wrp_len = (wrp - wrc);
+ int remain_seg_payload_len = (segment_len - wrp - 5);
+
+ // validate segment-crc
+ segCrcBytes[0]=data_buf[0]; //uid0
+ segCrcBytes[1]=data_buf[1]; //uid1
+ segCrcBytes[2]=data_buf[2]; //uid2
+ segCrcBytes[3]=data_buf[3]; //uid3
+ segCrcBytes[4]=(data_buf[i]^crc); //hdr0
+ segCrcBytes[5]=(data_buf[i+1]^crc); //hdr1
+ segCrcBytes[6]=(data_buf[i+2]^crc); //hdr2
+ segCrcBytes[7]=(data_buf[i+3]^crc); //hdr3
+
+ segCalcCRC = CRC8Legic(segCrcBytes, 8);
+ segCRC = data_buf[i+4]^crc;
+
+ PrintAndLog("Segment %02u \nraw header=0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)",
+ segmentNum,
+ data_buf[i]^crc,
+ data_buf[i+1]^crc,
+ data_buf[i+2]^crc,
+ data_buf[i+3]^crc,
+ segment_len,
+ segment_flag,
+ (segment_flag & 0x4) >> 2,
+ (segment_flag & 0x8) >> 3,
+ wrp,
+ wrc,
+ ((data_buf[i+3]^crc) & 0x80) >> 7,
+ segCRC,
+ ( segCRC == segCalcCRC ) ? "OK" : "fail"
+ );
+
+ i += 5;
+
+ if ( hasWRC ) {
+ PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc);
+
+ // de-xor? if not zero, assume it needs xoring.
+ if ( data_buf[i] > 0) {
+ for ( k=i; k < wrc; ++k)
+ data_buf[k] ^= crc;
+ }
+ print_hex_break( data_buf+i, wrc, 16);
+
+ i += wrc;
+ }
+
+ if ( hasWRP ) {
+ PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len);
+
+ // de-xor? if not zero, assume it needs xoring.
+ if ( data_buf[i] > 0) {
+ for (k=i; k < wrp_len; ++k)
+ data_buf[k] ^= crc;
+ }
+
+ print_hex_break( data_buf+i, wrp_len, 16);
+
+ i += wrp_len;
+
+ // does this one work?
+ if( wrp_len == 8 )
+ PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
+ }
+
+ PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len);
+
+ if ( data_buf[i] > 0 ) {
+ for ( k=i; k < remain_seg_payload_len; ++k)
+ data_buf[k] ^= crc;
+ }
+
+ print_hex_break( data_buf+i, remain_seg_payload_len, 16);
+
+ i += remain_seg_payload_len;
+
+ printf("\n-------------------------------------\n");
+
+ // end with last segment
+ if (segment_flag & 0x8) return 0;
+
+ } // end for loop
+ return 0;
+}