X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/c6e0a2ebebb186849764b5a227662c515cfd7c6b..b82c2f85e457f361b119d21a31f3263ac3489cc8:/client/cmdhflegic.c diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c index aef6ef0c..0262f81c 100644 --- a/client/cmdhflegic.c +++ b/client/cmdhflegic.c @@ -38,33 +38,48 @@ int usage_legic_load(void){ return 0; } +int usage_legic_read(void){ + PrintAndLog("Read data from a legic tag."); + PrintAndLog("Usage: hf legic read "); + PrintAndLog("Options :"); + PrintAndLog(" : offset in data array to start download from"); + PrintAndLog(" : number of bytes to download"); + PrintAndLog(""); + PrintAndLog(" sample: hf legic read"); + return 0; +} + /* * Output BigBuf and deobfuscate LEGIC RF tag data. - * This is based on information given in the talk held + * This is based on information given in the talk held * by Henryk Ploetz and Karsten Nohl at 26c3 */ int CmdLegicDecode(const char *Cmd) { - int i, k, n; + // Index for the bytearray. + int i = 0; + int k = 0, segmentNum; int segment_len = 0; int segment_flag = 0; - int stamp_len = 0; + uint8_t stamp_len = 0; int crc = 0; int wrp = 0; int wrc = 0; - uint8_t data_buf[1200]; // receiver buffer - //char out_string[3076]; // just use big buffer - bad practice + uint8_t data_buf[1024]; // receiver buffer, should be 1024.. char token_type[4]; - // copy data from proxmark into buffer - GetFromBigBuf(data_buf,sizeof(data_buf),0); - WaitForResponse(CMD_ACK,NULL); - + // download EML memory, where the "legic read" command puts the data. + GetEMLFromBigBuf(data_buf, sizeof(data_buf), 0); + if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){ + PrintAndLog("Command execute timeout"); + return 1; + } + // Output CDF System area (9 bytes) plus remaining header area (12 bytes) crc = data_buf[4]; uint32_t calc_crc = CRC8Legic(data_buf, 4); PrintAndLog("\nCDF: System Area"); - + PrintAndLog("------------------------------------------------------"); PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x %s", data_buf[0], data_buf[1], @@ -74,24 +89,24 @@ int CmdLegicDecode(const char *Cmd) { (calc_crc == crc) ? "OK":"Fail" ); - switch (data_buf[5]&0x7f) { + switch (data_buf[5] & 0x7f) { case 0x00 ... 0x2f: strncpy(token_type, "IAM",sizeof(token_type)); break; case 0x30 ... 0x6f: - strcpy(token_type, "SAM"); + strncpy(token_type, "SAM",sizeof(token_type)); break; case 0x70 ... 0x7f: - strcpy(token_type, "GAM"); + strncpy(token_type, "GAM",sizeof(token_type)); break; default: - strcpy(token_type, "???"); + strncpy(token_type, "???",sizeof(token_type)); break; } stamp_len = 0xfc - data_buf[6]; - PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u", + PrintAndLog("DCF: %02x %02x, Token Type=%s (OLE=%01u), Stamp len=%02u", data_buf[5], data_buf[6], token_type, @@ -109,91 +124,123 @@ int CmdLegicDecode(const char *Cmd) { PrintAndLog("Remaining Header Area"); PrintAndLog("%s", sprint_hex(data_buf+9, 13)); - PrintAndLog("\nADF: User Area"); - - i = 22; + uint8_t segCrcBytes[8] = {0x00}; uint32_t segCalcCRC = 0; uint32_t segCRC = 0; + + // see if user area is xored or just zeros. + int numOfZeros = 0; + for (int index=22; index < 256; ++index){ + if ( data_buf[index] == 0x00 ) + ++numOfZeros; + } + // if possible zeros is less then 60%, lets assume data is xored + // 256 - 22 (header) = 234 + // 1024 - 22 (header) = 1002 + int isXored = (numOfZeros*100/stamp_len) < 50; + PrintAndLog("is data xored? %d ( %d %)", isXored, (numOfZeros*100/stamp_len)); + + print_hex_break( data_buf, 33, 16); + + return 0; - for ( n=0; n<64; n++ ) { + PrintAndLog("\nADF: User Area"); + PrintAndLog("------------------------------------------------------"); + i = 22; + // 64 potential segements + // how to detect there is no segments?!? + for ( segmentNum=0; segmentNum<64; segmentNum++ ) { segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc); segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4; wrp = (data_buf[i+2]^crc); wrc = ((data_buf[i+3]^crc)&0x70)>>4; - /* validate segment-crc */ - segCRC = data_buf[i+4]^crc; + bool hasWRC = (wrc > 0); + bool hasWRP = (wrp > wrc); + int wrp_len = (wrp - wrc); + int remain_seg_payload_len = (segment_len - wrp - 5); - segCrcBytes[0]=data_buf[0]; //uid0 - segCrcBytes[1]=data_buf[1]; //uid1 - segCrcBytes[2]=data_buf[2]; //uid2 - segCrcBytes[3]=data_buf[3]; //uid3 - segCrcBytes[4]=(data_buf[i]^crc); //hdr0 + // validate segment-crc + segCrcBytes[0]=data_buf[0]; //uid0 + segCrcBytes[1]=data_buf[1]; //uid1 + segCrcBytes[2]=data_buf[2]; //uid2 + segCrcBytes[3]=data_buf[3]; //uid3 + segCrcBytes[4]=(data_buf[i]^crc); //hdr0 segCrcBytes[5]=(data_buf[i+1]^crc); //hdr1 segCrcBytes[6]=(data_buf[i+2]^crc); //hdr2 segCrcBytes[7]=(data_buf[i+3]^crc); //hdr3 + segCalcCRC = CRC8Legic(segCrcBytes, 8); + segCRC = data_buf[i+4]^crc; - PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x (%s)", - n, + PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)", + segmentNum, data_buf[i]^crc, data_buf[i+1]^crc, data_buf[i+2]^crc, data_buf[i+3]^crc, + segment_len, segment_flag, - (segment_flag&0x4)>>2, - (segment_flag&0x8)>>3, - segment_len, + (segment_flag & 0x4) >> 2, + (segment_flag & 0x8) >> 3, wrp, wrc, - ((data_buf[i+3]^crc)&0x80)>>7, + ((data_buf[i+3]^crc) & 0x80) >> 7, segCRC, ( segCRC == segCalcCRC ) ? "OK" : "fail" ); i += 5; - if ( wrc>0 ) { - PrintAndLog("WRC protected area:"); - - for ( k=i; k < wrc; k++) - data_buf[k] ^= crc; - - for ( k=i; k < wrc; k += 8) - PrintAndLog("%s", sprint_hex( data_buf+k, 8) ); + if ( hasWRC ) { + PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc); + PrintAndLog("\nrow | data"); + PrintAndLog("-----+------------------------------------------------"); + // de-xor? if not zero, assume it needs xoring. + if ( isXored) { + for ( k=i; k < wrc; ++k) + data_buf[k] ^= crc; + } + print_hex_break( data_buf+i, wrc, 16); i += wrc; } - if ( wrp>wrc ) { - PrintAndLog("Remaining write protected area:"); + if ( hasWRP ) { + PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len); + PrintAndLog("\nrow | data"); + PrintAndLog("-----+------------------------------------------------"); - if ( data_buf[k] > 0) { - for (k=i; k < (wrp-wrc); k++) + if (isXored) { + for (k=i; k < wrp_len; ++k) data_buf[k] ^= crc; } - for (k=i; k < (wrp-wrc); k++) - PrintAndLog("%s", sprint_hex( data_buf+k, 16) ); - - i += (wrp-wrc); + print_hex_break( data_buf+i, wrp_len, 16); - if( (wrp-wrc) == 8 ) + i += wrp_len; + + // does this one work? + if( wrp_len == 8 ) PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc); } - PrintAndLog("Remaining segment payload:"); - - if ( data_buf[k] > 0 ) { - for ( k=i; k < (segment_len - wrp - 5); k++) + PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len); + PrintAndLog("\nrow | data"); + PrintAndLog("-----+------------------------------------------------"); + if ( isXored ) { + for ( k=i; k < remain_seg_payload_len; ++k) data_buf[k] ^= crc; } - for ( k=i; k < (segment_len - wrp - 5); k++) - PrintAndLog("%s", sprint_hex( data_buf+k, 16) ); + print_hex_break( data_buf+i, remain_seg_payload_len, 16); + i += remain_seg_payload_len; + + PrintAndLog("-----+------------------------------------------------\n"); + // end with last segment if (segment_flag & 0x8) return 0; @@ -202,6 +249,13 @@ int CmdLegicDecode(const char *Cmd) { } int CmdLegicRFRead(const char *Cmd) { + + // params: + // offset in data + // number of bytes. + char cmdp = param_getchar(Cmd, 0); + if ( cmdp == 'H' || cmdp == 'h' ) return usage_legic_read(); + int byte_count=0, offset=0; sscanf(Cmd, "%i %i", &offset, &byte_count); if(byte_count == 0) byte_count = -1; @@ -262,8 +316,11 @@ int CmdLegicLoad(const char *Cmd) { memcpy(c.d.asBytes, data, sizeof(data)); clearCommandBuffer(); SendCommand(&c); - WaitForResponse(CMD_ACK, NULL); - + if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){ + PrintAndLog("Command execute timeout"); + fclose(f); + return 1; + } offset += index; totalbytes += index; index = 0; @@ -277,7 +334,10 @@ int CmdLegicLoad(const char *Cmd) { memcpy(c.d.asBytes, data, 8); clearCommandBuffer(); SendCommand(&c); - WaitForResponse(CMD_ACK, NULL); + if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){ + PrintAndLog("Command execute timeout"); + return 1; + } totalbytes += index; } @@ -309,15 +369,18 @@ int CmdLegicSave(const char *Cmd) { return 0; } + GetFromBigBuf(got, requested, offset); + if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){ + PrintAndLog("Command execute timeout"); + return 1; + } + FILE *f = fopen(filename, "w"); if(!f) { PrintAndLog("couldn't open '%s'", Cmd+1); return -1; } - - GetFromBigBuf(got,requested,offset); - WaitForResponse(CMD_ACK,NULL); - + for (int j = 0; j < requested; j += 8) { fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n", got[j+0], got[j+1], got[j+2], got[j+3], @@ -332,6 +395,7 @@ int CmdLegicSave(const char *Cmd) { return 0; } +//TODO: write a help text (iceman) int CmdLegicRfSim(const char *Cmd) { UsbCommand c = {CMD_SIMULATE_TAG_LEGIC_RF, {6,3,0}}; sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]); @@ -340,6 +404,7 @@ int CmdLegicRfSim(const char *Cmd) { return 0; } +//TODO: write a help text (iceman) int CmdLegicRfWrite(const char *Cmd) { UsbCommand c = {CMD_WRITER_LEGIC_RF}; int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]); @@ -379,12 +444,16 @@ int CmdLegicRfFill(const char *Cmd) { int CmdLegicCalcCrc8(const char *Cmd){ int len = strlen(Cmd); - if (len & 1 ) return usage_legic_calccrc8(); + if ( len & 1 ) return usage_legic_calccrc8(); - uint8_t *data = malloc(len); + // add 1 for null terminator. + uint8_t *data = malloc(len+1); if ( data == NULL ) return 1; - param_gethex(Cmd, 0, data, len ); + if (param_gethex(Cmd, 0, data, len )) { + free(data); + return usage_legic_calccrc8(); + } uint32_t checksum = CRC8Legic(data, len/2); PrintAndLog("Bytes: %s || CRC8: %X", sprint_hex(data, len/2), checksum );