X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/e719470c461e38fb3ad99416d06fa1b5b19ff357..fa5118e7308c1beebf84f4a6664be7923a6bea04:/client/cmdhflegic.c?ds=sidebyside
diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c
index 731cead1..f23f7da0 100644
--- a/client/cmdhflegic.c
+++ b/client/cmdhflegic.c
@@ -47,24 +47,29 @@ int usage_legic_read(void){
return 0;
}
+int usage_legic_sim(void){
+ return 0;
+}
+int usage_legic_rawwrite(void){
+ return 0;
+}
+int usage_legic_fill(void){
+ return 0;
+}
+
/*
* Output BigBuf and deobfuscate LEGIC RF tag data.
* This is based on information given in the talk held
* by Henryk Ploetz and Karsten Nohl at 26c3
*/
int CmdLegicDecode(const char *Cmd) {
- // Index for the bytearray.
- int i = 0;
- int k = 0, segmentNum;
- int segment_len = 0;
- int segment_flag = 0;
+
+ int i = 0, k = 0, segmentNum = 0, segment_len = 0, segment_flag = 0;
+ int crc = 0, wrp = 0, wrc = 0;
uint8_t stamp_len = 0;
- int crc = 0;
- int wrp = 0;
- int wrc = 0;
- uint8_t data_buf[1052]; // receiver buffer, should be 1024..
- char token_type[5];
- int dcf;
+ uint8_t data_buf[1052]; // receiver buffer
+ char token_type[5] = {0,0,0,0,0};
+ int dcf = 0;
int bIsSegmented = 0;
// download EML memory, where the "legic read" command puts the data.
@@ -111,35 +116,35 @@ int CmdLegicDecode(const char *Cmd) {
fl = 1;
stamp_len = 0x0c - (data_buf[5] >> 4);
} else {
- switch (data_buf[5] & 0x7f) {
- case 0x00 ... 0x2f:
- strncpy(token_type, "IAM",sizeof(token_type));
- fl = (0x2f - (data_buf[5] & 0x7f)) + 1;
- break;
- case 0x30 ... 0x6f:
- strncpy(token_type, "SAM",sizeof(token_type));
- fl = (0x6f - (data_buf[5] & 0x7f)) + 1;
- break;
- case 0x70 ... 0x7f:
- strncpy(token_type, "GAM",sizeof(token_type));
- fl = (0x7f - (data_buf[5] & 0x7f)) + 1;
- break;
- }
+ switch (data_buf[5] & 0x7f) {
+ case 0x00 ... 0x2f:
+ strncpy(token_type, "IAM", sizeof(token_type));
+ fl = (0x2f - (data_buf[5] & 0x7f)) + 1;
+ break;
+ case 0x30 ... 0x6f:
+ strncpy(token_type, "SAM", sizeof(token_type));
+ fl = (0x6f - (data_buf[5] & 0x7f)) + 1;
+ break;
+ case 0x70 ... 0x7f:
+ strncpy(token_type, "GAM", sizeof(token_type));
+ fl = (0x7f - (data_buf[5] & 0x7f)) + 1;
+ break;
+ }
- stamp_len = 0xfc - data_buf[6];
+ stamp_len = 0xfc - data_buf[6];
}
PrintAndLog("DCF: %d (%02x %02x), Token Type=%s (OLE=%01u), OL=%02u, FL=%02u",
dcf,
- data_buf[5],
- data_buf[6],
- token_type,
- (data_buf[5]&0x80)>>7,
+ data_buf[5],
+ data_buf[6],
+ token_type,
+ (data_buf[5] & 0x80 )>> 7,
stamp_len,
fl
- );
+ );
- } else { // Is IM(-S) type of card...
+ } else { // Is IM(-S) type of card...
if(data_buf[7] == 0x9F && data_buf[8] == 0xFF) {
bIsSegmented = 1;
@@ -153,7 +158,7 @@ int CmdLegicDecode(const char *Cmd) {
data_buf[5],
data_buf[6],
token_type,
- (data_buf[5]&0x80)>>7
+ (data_buf[5]&0x80) >> 7
);
}
@@ -162,11 +167,11 @@ int CmdLegicDecode(const char *Cmd) {
if(bIsSegmented) {
PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, SSC=%02x",
- data_buf[7]&0x0f,
- (data_buf[7]&0x70)>>4,
- (data_buf[7]&0x80)>>7,
- data_buf[8]
- );
+ data_buf[7] & 0x0f,
+ (data_buf[7] & 0x70) >> 4,
+ (data_buf[7] & 0x80) >> 7,
+ data_buf[8]
+ );
}
// Header area is only available on IM-S cards, on master tokens this data is the master token data itself
@@ -175,129 +180,127 @@ int CmdLegicDecode(const char *Cmd) {
PrintAndLog("Master token data");
PrintAndLog("%s", sprint_hex(data_buf+8, 14));
} else {
- PrintAndLog("Remaining Header Area");
- PrintAndLog("%s", sprint_hex(data_buf+9, 13));
+ PrintAndLog("Remaining Header Area");
+ PrintAndLog("%s", sprint_hex(data_buf+9, 13));
}
}
}
-
- uint8_t segCrcBytes[8] = {0x00};
+ uint8_t segCrcBytes[8] = {0,0,0,0,0,0,0,0};
uint32_t segCalcCRC = 0;
uint32_t segCRC = 0;
-
// Data card?
if(dcf <= 60000) {
- PrintAndLog("\nADF: User Area");
- PrintAndLog("------------------------------------------------------");
+ PrintAndLog("\nADF: User Area");
+ PrintAndLog("------------------------------------------------------");
if(bIsSegmented) {
// Data start point on segmented cards
- i = 22;
+ i = 22;
// decode segments
for (segmentNum=1; segmentNum < 128; segmentNum++ )
{
- segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
- segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
- wrp = (data_buf[i+2]^crc);
- wrc = ((data_buf[i+3]^crc)&0x70)>>4;
-
- bool hasWRC = (wrc > 0);
- bool hasWRP = (wrp > wrc);
- int wrp_len = (wrp - wrc);
- int remain_seg_payload_len = (segment_len - wrp - 5);
+ segment_len = ((data_buf[i+1] ^ crc) & 0x0f) * 256 + (data_buf[i] ^ crc);
+ segment_flag = ((data_buf[i+1] ^ crc) & 0xf0) >> 4;
+ wrp = (data_buf[i+2] ^ crc);
+ wrc = ((data_buf[i+3] ^ crc) & 0x70) >> 4;
+
+ bool hasWRC = (wrc > 0);
+ bool hasWRP = (wrp > wrc);
+ int wrp_len = (wrp - wrc);
+ int remain_seg_payload_len = (segment_len - wrp - 5);
- // validate segment-crc
- segCrcBytes[0]=data_buf[0]; //uid0
- segCrcBytes[1]=data_buf[1]; //uid1
- segCrcBytes[2]=data_buf[2]; //uid2
- segCrcBytes[3]=data_buf[3]; //uid3
- segCrcBytes[4]=(data_buf[i]^crc); //hdr0
- segCrcBytes[5]=(data_buf[i+1]^crc); //hdr1
- segCrcBytes[6]=(data_buf[i+2]^crc); //hdr2
- segCrcBytes[7]=(data_buf[i+3]^crc); //hdr3
-
- segCalcCRC = CRC8Legic(segCrcBytes, 8);
- segCRC = data_buf[i+4]^crc;
-
- PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)",
- segmentNum,
- data_buf[i]^crc,
- data_buf[i+1]^crc,
- data_buf[i+2]^crc,
- data_buf[i+3]^crc,
- segment_len,
- segment_flag,
- (segment_flag & 0x4) >> 2,
- (segment_flag & 0x8) >> 3,
- wrp,
- wrc,
- ((data_buf[i+3]^crc) & 0x80) >> 7,
- segCRC,
- ( segCRC == segCalcCRC ) ? "OK" : "fail"
- );
-
- i += 5;
+ // validate segment-crc
+ segCrcBytes[0]=data_buf[0]; //uid0
+ segCrcBytes[1]=data_buf[1]; //uid1
+ segCrcBytes[2]=data_buf[2]; //uid2
+ segCrcBytes[3]=data_buf[3]; //uid3
+ segCrcBytes[4]=(data_buf[i] ^ crc); //hdr0
+ segCrcBytes[5]=(data_buf[i+1] ^ crc); //hdr1
+ segCrcBytes[6]=(data_buf[i+2] ^ crc); //hdr2
+ segCrcBytes[7]=(data_buf[i+3] ^ crc); //hdr3
+
+ segCalcCRC = CRC8Legic(segCrcBytes, 8);
+ segCRC = data_buf[i+4] ^ crc;
+
+ PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)",
+ segmentNum,
+ data_buf[i] ^ crc,
+ data_buf[i+1] ^ crc,
+ data_buf[i+2] ^ crc,
+ data_buf[i+3] ^ crc,
+ segment_len,
+ segment_flag,
+ (segment_flag & 0x4) >> 2,
+ (segment_flag & 0x8) >> 3,
+ wrp,
+ wrc,
+ ((data_buf[i+3]^crc) & 0x80) >> 7,
+ segCRC,
+ ( segCRC == segCalcCRC ) ? "OK" : "fail"
+ );
+
+ i += 5;
- if ( hasWRC ) {
- PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc);
- PrintAndLog("\nrow | data");
- PrintAndLog("-----+------------------------------------------------");
+ if ( hasWRC ) {
+ PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc);
+ PrintAndLog("\nrow | data");
+ PrintAndLog("-----+------------------------------------------------");
- for ( k=i; k < (i+wrc); ++k)
- data_buf[k] ^= crc;
+ for ( k=i; k < (i + wrc); ++k)
+ data_buf[k] ^= crc;
- print_hex_break( data_buf+i, wrc, 16);
+ print_hex_break( data_buf+i, wrc, 16);
- i += wrc;
- }
+ i += wrc;
+ }
- if ( hasWRP ) {
- PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len);
- PrintAndLog("\nrow | data");
- PrintAndLog("-----+------------------------------------------------");
+ if ( hasWRP ) {
+ PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len);
+ PrintAndLog("\nrow | data");
+ PrintAndLog("-----+------------------------------------------------");
for (k=i; k < (i+wrp_len); ++k)
- data_buf[k] ^= crc;
+ data_buf[k] ^= crc;
- print_hex_break( data_buf+i, wrp_len, 16);
+ print_hex_break( data_buf+i, wrp_len, 16);
- i += wrp_len;
+ i += wrp_len;
// does this one work? (Answer: Only if KGH/BGH is used with BCD encoded card number! So maybe this will show just garbage...)
- if( wrp_len == 8 )
- PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
- }
+ if( wrp_len == 8 )
+ PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
+ }
- PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len);
- PrintAndLog("\nrow | data");
- PrintAndLog("-----+------------------------------------------------");
+ PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len);
+ PrintAndLog("\nrow | data");
+ PrintAndLog("-----+------------------------------------------------");
for ( k=i; k < (i+remain_seg_payload_len); ++k)
- data_buf[k] ^= crc;
+ data_buf[k] ^= crc;
- print_hex_break( data_buf+i, remain_seg_payload_len, 16);
+ print_hex_break( data_buf+i, remain_seg_payload_len, 16);
- i += remain_seg_payload_len;
+ i += remain_seg_payload_len;
- PrintAndLog("-----+------------------------------------------------\n");
+ PrintAndLog("-----+------------------------------------------------\n");
- // end with last segment
- if (segment_flag & 0x8) return 0;
+ // end with last segment
+ if (segment_flag & 0x8) return 0;
- } // end for loop
+ } // end for loop
} else {
// Data start point on unsegmented cards
i = 8;
- wrp = data_buf[7] & 0x0F;
- wrc = (data_buf[7] & 0x07) >> 4;
+ wrp = data_buf[7] & 0x0F;
+ wrc = (data_buf[7] & 0x70) >> 4;
bool hasWRC = (wrc > 0);
bool hasWRP = (wrp > wrc);
@@ -322,7 +325,7 @@ int CmdLegicDecode(const char *Cmd) {
PrintAndLog("Remaining write protected area: (I %d | WRC %d | WRP %d | WRP_LEN %d)", i, wrc, wrp, wrp_len);
PrintAndLog("\nrow | data");
PrintAndLog("-----+------------------------------------------------");
- print_hex_break( data_buf+i, wrp_len, 16);
+ print_hex_break( data_buf + i, wrp_len, 16);
i += wrp_len;
// does this one work? (Answer: Only if KGH/BGH is used with BCD encoded card number! So maybe this will show just garbage...)
@@ -333,13 +336,12 @@ int CmdLegicDecode(const char *Cmd) {
PrintAndLog("Remaining segment payload: (I %d | Remain LEN %d)", i, remain_seg_payload_len);
PrintAndLog("\nrow | data");
PrintAndLog("-----+------------------------------------------------");
- print_hex_break( data_buf+i, remain_seg_payload_len, 16);
+ print_hex_break( data_buf + i, remain_seg_payload_len, 16);
i += remain_seg_payload_len;
PrintAndLog("-----+------------------------------------------------\n");
}
}
-
return 0;
}
@@ -351,7 +353,7 @@ int CmdLegicRFRead(const char *Cmd) {
char cmdp = param_getchar(Cmd, 0);
if ( cmdp == 'H' || cmdp == 'h' ) return usage_legic_read();
- int byte_count=0, offset=0;
+ int byte_count = 0, offset = 0;
sscanf(Cmd, "%i %i", &offset, &byte_count);
if(byte_count == 0) byte_count = -1;
if(byte_count + offset > 1024) byte_count = 1024 - offset;
@@ -362,8 +364,10 @@ int CmdLegicRFRead(const char *Cmd) {
return 0;
}
+
int CmdLegicLoad(const char *Cmd) {
-
+
+// iceman: potential bug, where all filepaths or filename which starts with H or h will print the helptext :)
char cmdp = param_getchar(Cmd, 0);
if ( cmdp == 'H' || cmdp == 'h' || cmdp == 0x00) return usage_legic_load();
@@ -444,9 +448,11 @@ int CmdLegicSave(const char *Cmd) {
int requested = 1024;
int offset = 0;
int delivered = 0;
- char filename[FILE_PATH_SIZE];
+ char filename[FILE_PATH_SIZE] = {0x00};
uint8_t got[1024] = {0x00};
+ memset(filename, 0, FILE_PATH_SIZE);
+
sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
/* If no length given save entire legic read buffer */
@@ -501,7 +507,7 @@ int CmdLegicRfSim(const char *Cmd) {
//TODO: write a help text (iceman)
int CmdLegicRfWrite(const char *Cmd) {
- UsbCommand c = {CMD_WRITER_LEGIC_RF};
+ UsbCommand c = {CMD_WRITER_LEGIC_RF, {0,0,0}};
int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
if(res != 2) {
PrintAndLog("Please specify the offset and length as two hex strings");
@@ -570,20 +576,42 @@ int CmdLegicCalcCrc8(const char *Cmd){
uint8_t cmdp = 0, uidcrc = 0, type=0;
bool errors = false;
int len = 0;
+ int bg, en;
while(param_getchar(Cmd, cmdp) != 0x00) {
switch(param_getchar(Cmd, cmdp)) {
case 'b':
case 'B':
- data = malloc(len);
+ // peek at length of the input string so we can
+ // figure out how many elements to malloc in "data"
+ bg=en=0;
+ if (param_getptr(Cmd, &bg, &en, cmdp+1)) {
+ errors = true;
+ break;
+ }
+ len = (en - bg + 1);
+
+ // check that user entered even number of characters
+ // for hex data string
+ if (len & 1) {
+ errors = true;
+ break;
+ }
+
+ // it's possible for user to accidentally enter "b" parameter
+ // more than once - we have to clean previous malloc
+ if (data) free(data);
+ data = malloc(len >> 1);
if ( data == NULL ) {
PrintAndLog("Can't allocate memory. exiting");
errors = true;
break;
- }
- param_gethex_ex(Cmd, cmdp+1, data, &len);
- // if odd symbols, (hexbyte must be two symbols)
- if ( len & 1 ) errors = true;
+ }
+
+ if (param_gethex(Cmd, cmdp+1, data, len)) {
+ errors = true;
+ break;
+ }
len >>= 1;
cmdp += 2;