X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/e719470c461e38fb3ad99416d06fa1b5b19ff357..fa5118e7308c1beebf84f4a6664be7923a6bea04:/client/cmdhflegic.c?ds=sidebyside diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c index 731cead1..f23f7da0 100644 --- a/client/cmdhflegic.c +++ b/client/cmdhflegic.c @@ -47,24 +47,29 @@ int usage_legic_read(void){ return 0; } +int usage_legic_sim(void){ + return 0; +} +int usage_legic_rawwrite(void){ + return 0; +} +int usage_legic_fill(void){ + return 0; +} + /* * Output BigBuf and deobfuscate LEGIC RF tag data. * This is based on information given in the talk held * by Henryk Ploetz and Karsten Nohl at 26c3 */ int CmdLegicDecode(const char *Cmd) { - // Index for the bytearray. - int i = 0; - int k = 0, segmentNum; - int segment_len = 0; - int segment_flag = 0; + + int i = 0, k = 0, segmentNum = 0, segment_len = 0, segment_flag = 0; + int crc = 0, wrp = 0, wrc = 0; uint8_t stamp_len = 0; - int crc = 0; - int wrp = 0; - int wrc = 0; - uint8_t data_buf[1052]; // receiver buffer, should be 1024.. - char token_type[5]; - int dcf; + uint8_t data_buf[1052]; // receiver buffer + char token_type[5] = {0,0,0,0,0}; + int dcf = 0; int bIsSegmented = 0; // download EML memory, where the "legic read" command puts the data. @@ -111,35 +116,35 @@ int CmdLegicDecode(const char *Cmd) { fl = 1; stamp_len = 0x0c - (data_buf[5] >> 4); } else { - switch (data_buf[5] & 0x7f) { - case 0x00 ... 0x2f: - strncpy(token_type, "IAM",sizeof(token_type)); - fl = (0x2f - (data_buf[5] & 0x7f)) + 1; - break; - case 0x30 ... 0x6f: - strncpy(token_type, "SAM",sizeof(token_type)); - fl = (0x6f - (data_buf[5] & 0x7f)) + 1; - break; - case 0x70 ... 0x7f: - strncpy(token_type, "GAM",sizeof(token_type)); - fl = (0x7f - (data_buf[5] & 0x7f)) + 1; - break; - } + switch (data_buf[5] & 0x7f) { + case 0x00 ... 0x2f: + strncpy(token_type, "IAM", sizeof(token_type)); + fl = (0x2f - (data_buf[5] & 0x7f)) + 1; + break; + case 0x30 ... 0x6f: + strncpy(token_type, "SAM", sizeof(token_type)); + fl = (0x6f - (data_buf[5] & 0x7f)) + 1; + break; + case 0x70 ... 0x7f: + strncpy(token_type, "GAM", sizeof(token_type)); + fl = (0x7f - (data_buf[5] & 0x7f)) + 1; + break; + } - stamp_len = 0xfc - data_buf[6]; + stamp_len = 0xfc - data_buf[6]; } PrintAndLog("DCF: %d (%02x %02x), Token Type=%s (OLE=%01u), OL=%02u, FL=%02u", dcf, - data_buf[5], - data_buf[6], - token_type, - (data_buf[5]&0x80)>>7, + data_buf[5], + data_buf[6], + token_type, + (data_buf[5] & 0x80 )>> 7, stamp_len, fl - ); + ); - } else { // Is IM(-S) type of card... + } else { // Is IM(-S) type of card... if(data_buf[7] == 0x9F && data_buf[8] == 0xFF) { bIsSegmented = 1; @@ -153,7 +158,7 @@ int CmdLegicDecode(const char *Cmd) { data_buf[5], data_buf[6], token_type, - (data_buf[5]&0x80)>>7 + (data_buf[5]&0x80) >> 7 ); } @@ -162,11 +167,11 @@ int CmdLegicDecode(const char *Cmd) { if(bIsSegmented) { PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, SSC=%02x", - data_buf[7]&0x0f, - (data_buf[7]&0x70)>>4, - (data_buf[7]&0x80)>>7, - data_buf[8] - ); + data_buf[7] & 0x0f, + (data_buf[7] & 0x70) >> 4, + (data_buf[7] & 0x80) >> 7, + data_buf[8] + ); } // Header area is only available on IM-S cards, on master tokens this data is the master token data itself @@ -175,129 +180,127 @@ int CmdLegicDecode(const char *Cmd) { PrintAndLog("Master token data"); PrintAndLog("%s", sprint_hex(data_buf+8, 14)); } else { - PrintAndLog("Remaining Header Area"); - PrintAndLog("%s", sprint_hex(data_buf+9, 13)); + PrintAndLog("Remaining Header Area"); + PrintAndLog("%s", sprint_hex(data_buf+9, 13)); } } } - - uint8_t segCrcBytes[8] = {0x00}; + uint8_t segCrcBytes[8] = {0,0,0,0,0,0,0,0}; uint32_t segCalcCRC = 0; uint32_t segCRC = 0; - // Data card? if(dcf <= 60000) { - PrintAndLog("\nADF: User Area"); - PrintAndLog("------------------------------------------------------"); + PrintAndLog("\nADF: User Area"); + PrintAndLog("------------------------------------------------------"); if(bIsSegmented) { // Data start point on segmented cards - i = 22; + i = 22; // decode segments for (segmentNum=1; segmentNum < 128; segmentNum++ ) { - segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc); - segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4; - wrp = (data_buf[i+2]^crc); - wrc = ((data_buf[i+3]^crc)&0x70)>>4; - - bool hasWRC = (wrc > 0); - bool hasWRP = (wrp > wrc); - int wrp_len = (wrp - wrc); - int remain_seg_payload_len = (segment_len - wrp - 5); + segment_len = ((data_buf[i+1] ^ crc) & 0x0f) * 256 + (data_buf[i] ^ crc); + segment_flag = ((data_buf[i+1] ^ crc) & 0xf0) >> 4; + wrp = (data_buf[i+2] ^ crc); + wrc = ((data_buf[i+3] ^ crc) & 0x70) >> 4; + + bool hasWRC = (wrc > 0); + bool hasWRP = (wrp > wrc); + int wrp_len = (wrp - wrc); + int remain_seg_payload_len = (segment_len - wrp - 5); - // validate segment-crc - segCrcBytes[0]=data_buf[0]; //uid0 - segCrcBytes[1]=data_buf[1]; //uid1 - segCrcBytes[2]=data_buf[2]; //uid2 - segCrcBytes[3]=data_buf[3]; //uid3 - segCrcBytes[4]=(data_buf[i]^crc); //hdr0 - segCrcBytes[5]=(data_buf[i+1]^crc); //hdr1 - segCrcBytes[6]=(data_buf[i+2]^crc); //hdr2 - segCrcBytes[7]=(data_buf[i+3]^crc); //hdr3 - - segCalcCRC = CRC8Legic(segCrcBytes, 8); - segCRC = data_buf[i+4]^crc; - - PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)", - segmentNum, - data_buf[i]^crc, - data_buf[i+1]^crc, - data_buf[i+2]^crc, - data_buf[i+3]^crc, - segment_len, - segment_flag, - (segment_flag & 0x4) >> 2, - (segment_flag & 0x8) >> 3, - wrp, - wrc, - ((data_buf[i+3]^crc) & 0x80) >> 7, - segCRC, - ( segCRC == segCalcCRC ) ? "OK" : "fail" - ); - - i += 5; + // validate segment-crc + segCrcBytes[0]=data_buf[0]; //uid0 + segCrcBytes[1]=data_buf[1]; //uid1 + segCrcBytes[2]=data_buf[2]; //uid2 + segCrcBytes[3]=data_buf[3]; //uid3 + segCrcBytes[4]=(data_buf[i] ^ crc); //hdr0 + segCrcBytes[5]=(data_buf[i+1] ^ crc); //hdr1 + segCrcBytes[6]=(data_buf[i+2] ^ crc); //hdr2 + segCrcBytes[7]=(data_buf[i+3] ^ crc); //hdr3 + + segCalcCRC = CRC8Legic(segCrcBytes, 8); + segCRC = data_buf[i+4] ^ crc; + + PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)", + segmentNum, + data_buf[i] ^ crc, + data_buf[i+1] ^ crc, + data_buf[i+2] ^ crc, + data_buf[i+3] ^ crc, + segment_len, + segment_flag, + (segment_flag & 0x4) >> 2, + (segment_flag & 0x8) >> 3, + wrp, + wrc, + ((data_buf[i+3]^crc) & 0x80) >> 7, + segCRC, + ( segCRC == segCalcCRC ) ? "OK" : "fail" + ); + + i += 5; - if ( hasWRC ) { - PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc); - PrintAndLog("\nrow | data"); - PrintAndLog("-----+------------------------------------------------"); + if ( hasWRC ) { + PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc); + PrintAndLog("\nrow | data"); + PrintAndLog("-----+------------------------------------------------"); - for ( k=i; k < (i+wrc); ++k) - data_buf[k] ^= crc; + for ( k=i; k < (i + wrc); ++k) + data_buf[k] ^= crc; - print_hex_break( data_buf+i, wrc, 16); + print_hex_break( data_buf+i, wrc, 16); - i += wrc; - } + i += wrc; + } - if ( hasWRP ) { - PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len); - PrintAndLog("\nrow | data"); - PrintAndLog("-----+------------------------------------------------"); + if ( hasWRP ) { + PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len); + PrintAndLog("\nrow | data"); + PrintAndLog("-----+------------------------------------------------"); for (k=i; k < (i+wrp_len); ++k) - data_buf[k] ^= crc; + data_buf[k] ^= crc; - print_hex_break( data_buf+i, wrp_len, 16); + print_hex_break( data_buf+i, wrp_len, 16); - i += wrp_len; + i += wrp_len; // does this one work? (Answer: Only if KGH/BGH is used with BCD encoded card number! So maybe this will show just garbage...) - if( wrp_len == 8 ) - PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc); - } + if( wrp_len == 8 ) + PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc); + } - PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len); - PrintAndLog("\nrow | data"); - PrintAndLog("-----+------------------------------------------------"); + PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len); + PrintAndLog("\nrow | data"); + PrintAndLog("-----+------------------------------------------------"); for ( k=i; k < (i+remain_seg_payload_len); ++k) - data_buf[k] ^= crc; + data_buf[k] ^= crc; - print_hex_break( data_buf+i, remain_seg_payload_len, 16); + print_hex_break( data_buf+i, remain_seg_payload_len, 16); - i += remain_seg_payload_len; + i += remain_seg_payload_len; - PrintAndLog("-----+------------------------------------------------\n"); + PrintAndLog("-----+------------------------------------------------\n"); - // end with last segment - if (segment_flag & 0x8) return 0; + // end with last segment + if (segment_flag & 0x8) return 0; - } // end for loop + } // end for loop } else { // Data start point on unsegmented cards i = 8; - wrp = data_buf[7] & 0x0F; - wrc = (data_buf[7] & 0x07) >> 4; + wrp = data_buf[7] & 0x0F; + wrc = (data_buf[7] & 0x70) >> 4; bool hasWRC = (wrc > 0); bool hasWRP = (wrp > wrc); @@ -322,7 +325,7 @@ int CmdLegicDecode(const char *Cmd) { PrintAndLog("Remaining write protected area: (I %d | WRC %d | WRP %d | WRP_LEN %d)", i, wrc, wrp, wrp_len); PrintAndLog("\nrow | data"); PrintAndLog("-----+------------------------------------------------"); - print_hex_break( data_buf+i, wrp_len, 16); + print_hex_break( data_buf + i, wrp_len, 16); i += wrp_len; // does this one work? (Answer: Only if KGH/BGH is used with BCD encoded card number! So maybe this will show just garbage...) @@ -333,13 +336,12 @@ int CmdLegicDecode(const char *Cmd) { PrintAndLog("Remaining segment payload: (I %d | Remain LEN %d)", i, remain_seg_payload_len); PrintAndLog("\nrow | data"); PrintAndLog("-----+------------------------------------------------"); - print_hex_break( data_buf+i, remain_seg_payload_len, 16); + print_hex_break( data_buf + i, remain_seg_payload_len, 16); i += remain_seg_payload_len; PrintAndLog("-----+------------------------------------------------\n"); } } - return 0; } @@ -351,7 +353,7 @@ int CmdLegicRFRead(const char *Cmd) { char cmdp = param_getchar(Cmd, 0); if ( cmdp == 'H' || cmdp == 'h' ) return usage_legic_read(); - int byte_count=0, offset=0; + int byte_count = 0, offset = 0; sscanf(Cmd, "%i %i", &offset, &byte_count); if(byte_count == 0) byte_count = -1; if(byte_count + offset > 1024) byte_count = 1024 - offset; @@ -362,8 +364,10 @@ int CmdLegicRFRead(const char *Cmd) { return 0; } + int CmdLegicLoad(const char *Cmd) { - + +// iceman: potential bug, where all filepaths or filename which starts with H or h will print the helptext :) char cmdp = param_getchar(Cmd, 0); if ( cmdp == 'H' || cmdp == 'h' || cmdp == 0x00) return usage_legic_load(); @@ -444,9 +448,11 @@ int CmdLegicSave(const char *Cmd) { int requested = 1024; int offset = 0; int delivered = 0; - char filename[FILE_PATH_SIZE]; + char filename[FILE_PATH_SIZE] = {0x00}; uint8_t got[1024] = {0x00}; + memset(filename, 0, FILE_PATH_SIZE); + sscanf(Cmd, " %s %i %i", filename, &requested, &offset); /* If no length given save entire legic read buffer */ @@ -501,7 +507,7 @@ int CmdLegicRfSim(const char *Cmd) { //TODO: write a help text (iceman) int CmdLegicRfWrite(const char *Cmd) { - UsbCommand c = {CMD_WRITER_LEGIC_RF}; + UsbCommand c = {CMD_WRITER_LEGIC_RF, {0,0,0}}; int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]); if(res != 2) { PrintAndLog("Please specify the offset and length as two hex strings"); @@ -570,20 +576,42 @@ int CmdLegicCalcCrc8(const char *Cmd){ uint8_t cmdp = 0, uidcrc = 0, type=0; bool errors = false; int len = 0; + int bg, en; while(param_getchar(Cmd, cmdp) != 0x00) { switch(param_getchar(Cmd, cmdp)) { case 'b': case 'B': - data = malloc(len); + // peek at length of the input string so we can + // figure out how many elements to malloc in "data" + bg=en=0; + if (param_getptr(Cmd, &bg, &en, cmdp+1)) { + errors = true; + break; + } + len = (en - bg + 1); + + // check that user entered even number of characters + // for hex data string + if (len & 1) { + errors = true; + break; + } + + // it's possible for user to accidentally enter "b" parameter + // more than once - we have to clean previous malloc + if (data) free(data); + data = malloc(len >> 1); if ( data == NULL ) { PrintAndLog("Can't allocate memory. exiting"); errors = true; break; - } - param_gethex_ex(Cmd, cmdp+1, data, &len); - // if odd symbols, (hexbyte must be two symbols) - if ( len & 1 ) errors = true; + } + + if (param_gethex(Cmd, cmdp+1, data, len)) { + errors = true; + break; + } len >>= 1; cmdp += 2;