return 0;
}
+int usage_legic_read(void){
+ PrintAndLog("Read data from a legic tag.");
+ PrintAndLog("Usage: hf legic read <offset> <num of bytes>");
+ PrintAndLog("Options :");
+ PrintAndLog(" <offset> : offset in data array to start download from");
+ PrintAndLog(" <num of bytes> : number of bytes to download");
+ PrintAndLog("");
+ PrintAndLog(" sample: hf legic read");
+ return 0;
+}
+
/*
* Output BigBuf and deobfuscate LEGIC RF tag data.
- * This is based on information given in the talk held
+ * This is based on information given in the talk held
* by Henryk Ploetz and Karsten Nohl at 26c3
*/
int CmdLegicDecode(const char *Cmd) {
int crc = 0;
int wrp = 0;
int wrc = 0;
- uint8_t data_buf[1200]; // receiver buffer, should be 1024..
+ uint8_t data_buf[1024]; // receiver buffer, should be 1024..
char token_type[4];
- // copy data from proxmark into buffer
- GetFromBigBuf(data_buf,sizeof(data_buf),0);
- WaitForResponse(CMD_ACK,NULL);
-
+ // download EML memory, where the "legic read" command puts the data.
+ GetEMLFromBigBuf(data_buf, sizeof(data_buf), 0);
+ if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
+ PrintAndLog("Command execute timeout");
+ return 1;
+ }
+
// Output CDF System area (9 bytes) plus remaining header area (12 bytes)
crc = data_buf[4];
uint32_t calc_crc = CRC8Legic(data_buf, 4);
PrintAndLog("\nCDF: System Area");
-
+ PrintAndLog("------------------------------------------------------");
PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x %s",
data_buf[0],
data_buf[1],
stamp_len = 0xfc - data_buf[6];
- PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
+ PrintAndLog("DCF: %02x %02x, Token Type=%s (OLE=%01u), Stamp len=%02u",
data_buf[5],
data_buf[6],
token_type,
uint32_t segCalcCRC = 0;
uint32_t segCRC = 0;
+ // see if user area is xored or just zeros.
+ int numOfZeros = 0;
+ for (int index=22; index < 256; ++index){
+ if ( data_buf[index] == 0x00 )
+ ++numOfZeros;
+ }
+ // if possible zeros is less then 60%, lets assume data is xored
+ // 256 - 22 (header) = 234
+ // 1024 - 22 (header) = 1002
+ int isXored = (numOfZeros*100/stamp_len) < 50;
+ PrintAndLog("is data xored? %d ( %d %)", isXored, (numOfZeros*100/stamp_len));
+
+ print_hex_break( data_buf, 33, 16);
+
+ return 0;
+
PrintAndLog("\nADF: User Area");
+ PrintAndLog("------------------------------------------------------");
i = 22;
// 64 potential segements
+ // how to detect there is no segments?!?
for ( segmentNum=0; segmentNum<64; segmentNum++ ) {
segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
segCalcCRC = CRC8Legic(segCrcBytes, 8);
segCRC = data_buf[i+4]^crc;
- PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x (%s)",
+ PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)",
segmentNum,
data_buf[i]^crc,
data_buf[i+1]^crc,
data_buf[i+2]^crc,
data_buf[i+3]^crc,
+ segment_len,
segment_flag,
(segment_flag & 0x4) >> 2,
(segment_flag & 0x8) >> 3,
- segment_len,
wrp,
wrc,
((data_buf[i+3]^crc) & 0x80) >> 7,
if ( hasWRC ) {
PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc);
-
- for ( k=i; k < wrc; k++)
- data_buf[k] ^= crc;
-
- //is WRC / 8?
-
- // for ( k=i; k < wrc; k += 8)
- PrintAndLog("%s", sprint_hex( data_buf+i, wrc ) );
+ PrintAndLog("\nrow | data");
+ PrintAndLog("-----+------------------------------------------------");
+ // de-xor? if not zero, assume it needs xoring.
+ if ( isXored) {
+ for ( k=i; k < wrc; ++k)
+ data_buf[k] ^= crc;
+ }
+ print_hex_break( data_buf+i, wrc, 16);
i += wrc;
}
if ( hasWRP ) {
PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len);
+ PrintAndLog("\nrow | data");
+ PrintAndLog("-----+------------------------------------------------");
- // // de-xor?
- // if ( data_buf[k] > 0) {
- // for (k=i; k < wrp_len; k++)
- // data_buf[k] ^= crc;
- // }
+ if (isXored) {
+ for (k=i; k < wrp_len; ++k)
+ data_buf[k] ^= crc;
+ }
- // for (k=i; k < wrp_len; k += 16) {
-
- PrintAndLog("%s", sprint_hex( data_buf+i, wrp_len));
- // }
+ print_hex_break( data_buf+i, wrp_len, 16);
i += wrp_len;
- // if( wrp_len == 8 )
- // PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
+ // does this one work?
+ if( wrp_len == 8 )
+ PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
}
- PrintAndLog("Remaining segment payload:");
-
- // if ( data_buf[k] > 0 ) {
- // for ( k=i; k < remain_seg_payload_len; k++)
- // data_buf[k] ^= crc;
- // }
+ PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len);
+ PrintAndLog("\nrow | data");
+ PrintAndLog("-----+------------------------------------------------");
+ if ( isXored ) {
+ for ( k=i; k < remain_seg_payload_len; ++k)
+ data_buf[k] ^= crc;
+ }
- // for ( k=i; k < remain_seg_payload_len; k++)
- PrintAndLog("%s", sprint_hex( data_buf+i, remain_seg_payload_len ) );
+ print_hex_break( data_buf+i, remain_seg_payload_len, 16);
i += remain_seg_payload_len;
+ PrintAndLog("-----+------------------------------------------------\n");
+
// end with last segment
if (segment_flag & 0x8) return 0;
}
int CmdLegicRFRead(const char *Cmd) {
+
+ // params:
+ // offset in data
+ // number of bytes.
+ char cmdp = param_getchar(Cmd, 0);
+ if ( cmdp == 'H' || cmdp == 'h' ) return usage_legic_read();
+
int byte_count=0, offset=0;
sscanf(Cmd, "%i %i", &offset, &byte_count);
if(byte_count == 0) byte_count = -1;
return 0;
}
+ GetFromBigBuf(got, requested, offset);
+ if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
+ PrintAndLog("Command execute timeout");
+ return 1;
+ }
+
FILE *f = fopen(filename, "w");
if(!f) {
PrintAndLog("couldn't open '%s'", Cmd+1);
return -1;
}
-
- GetFromBigBuf(got, requested, offset);
- WaitForResponse(CMD_ACK, NULL);
-
+
for (int j = 0; j < requested; j += 8) {
fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
got[j+0], got[j+1], got[j+2], got[j+3],
return 0;
}
+//TODO: write a help text (iceman)
int CmdLegicRfSim(const char *Cmd) {
UsbCommand c = {CMD_SIMULATE_TAG_LEGIC_RF, {6,3,0}};
sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
return 0;
}
+//TODO: write a help text (iceman)
int CmdLegicRfWrite(const char *Cmd) {
UsbCommand c = {CMD_WRITER_LEGIC_RF};
int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
int CmdLegicCalcCrc8(const char *Cmd){
int len = strlen(Cmd);
- if (len & 1 ) return usage_legic_calccrc8();
+ if ( len & 1 ) return usage_legic_calccrc8();
- uint8_t *data = malloc(len);
+ // add 1 for null terminator.
+ uint8_t *data = malloc(len+1);
if ( data == NULL ) return 1;
- param_gethex(Cmd, 0, data, len );
+ if (param_gethex(Cmd, 0, data, len )) {
+ free(data);
+ return usage_legic_calccrc8();
+ }
uint32_t checksum = CRC8Legic(data, len/2);
PrintAndLog("Bytes: %s || CRC8: %X", sprint_hex(data, len/2), checksum );
projects / proxmark3-svn / blobdiff