X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/e719470c461e38fb3ad99416d06fa1b5b19ff357..fa5118e7308c1beebf84f4a6664be7923a6bea04:/client/cmdhflegic.c?ds=sidebyside

diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c
index 731cead1..f23f7da0 100644
--- a/client/cmdhflegic.c
+++ b/client/cmdhflegic.c
@@ -47,24 +47,29 @@ int usage_legic_read(void){
 	return 0;
 }
 
+int usage_legic_sim(void){
+	return 0;
+}
+int usage_legic_rawwrite(void){
+	return 0;
+}
+int usage_legic_fill(void){
+	return 0;
+}
+
 /*
  *  Output BigBuf and deobfuscate LEGIC RF tag data.
  *  This is based on information given in the talk held
  *  by Henryk Ploetz and Karsten Nohl at 26c3
  */
 int CmdLegicDecode(const char *Cmd) {
-	// Index for the bytearray.
-	int i = 0;
-	int k = 0, segmentNum;
-	int segment_len = 0;
-	int segment_flag = 0;
+
+	int i = 0, k = 0, segmentNum = 0, segment_len = 0, segment_flag = 0;
+	int crc = 0, wrp = 0, wrc = 0;
 	uint8_t stamp_len = 0;
-	int crc = 0;
-	int wrp = 0;
-	int wrc = 0;
-	uint8_t data_buf[1052]; // receiver buffer,  should be 1024..
-	char token_type[5];
-	int dcf;
+	uint8_t data_buf[1052]; // receiver buffer
+	char token_type[5] = {0,0,0,0,0};
+	int dcf = 0;
 	int bIsSegmented = 0;
 
 	// download EML memory, where the "legic read" command puts the data.
@@ -111,35 +116,35 @@ int CmdLegicDecode(const char *Cmd) {
 			fl = 1;
 			stamp_len = 0x0c - (data_buf[5] >> 4);
 		} else {
-	switch (data_buf[5] & 0x7f) {
-		case 0x00 ... 0x2f:
-			strncpy(token_type, "IAM",sizeof(token_type));
-					fl = (0x2f - (data_buf[5] & 0x7f)) + 1;
-			break;
-		case 0x30 ... 0x6f:
-			strncpy(token_type, "SAM",sizeof(token_type));
-					fl = (0x6f - (data_buf[5] & 0x7f)) + 1;
-			break;
-		case 0x70 ... 0x7f:
-			strncpy(token_type, "GAM",sizeof(token_type));
-					fl = (0x7f - (data_buf[5] & 0x7f)) + 1;
-			break;
-	}
+			switch (data_buf[5] & 0x7f) {
+			case 0x00 ... 0x2f:
+				strncpy(token_type, "IAM", sizeof(token_type));
+				fl = (0x2f - (data_buf[5] & 0x7f)) + 1;
+				break;
+			case 0x30 ... 0x6f:
+				strncpy(token_type, "SAM", sizeof(token_type));
+				fl = (0x6f - (data_buf[5] & 0x7f)) + 1;
+				break;
+			case 0x70 ... 0x7f:
+				strncpy(token_type, "GAM", sizeof(token_type));
+				fl = (0x7f - (data_buf[5] & 0x7f)) + 1;
+				break;
+			}
 
-	stamp_len = 0xfc - data_buf[6];
+			stamp_len = 0xfc - data_buf[6];
 		}
 
 		PrintAndLog("DCF: %d (%02x %02x), Token Type=%s (OLE=%01u), OL=%02u, FL=%02u",
 			dcf,
-		data_buf[5],
-		data_buf[6],
-		token_type,
-		(data_buf[5]&0x80)>>7,
+			data_buf[5],
+			data_buf[6],
+			token_type,
+			(data_buf[5] & 0x80 )>> 7,
 			stamp_len,
 			fl
-	);
+		);
 
-	} else {						// Is IM(-S) type of card...
+	} else {	// Is IM(-S) type of card...
 
 		if(data_buf[7] == 0x9F && data_buf[8] == 0xFF) {
 			bIsSegmented = 1;
@@ -153,7 +158,7 @@ int CmdLegicDecode(const char *Cmd) {
 			data_buf[5],
 			data_buf[6],
 			token_type,
-			(data_buf[5]&0x80)>>7
+			(data_buf[5]&0x80) >> 7
 		);
 	}
 
@@ -162,11 +167,11 @@ int CmdLegicDecode(const char *Cmd) {
 
 		if(bIsSegmented) {
 			PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, SSC=%02x",
-		data_buf[7]&0x0f,
-		(data_buf[7]&0x70)>>4,
-		(data_buf[7]&0x80)>>7,
-		data_buf[8]
-	);
+				data_buf[7] & 0x0f,
+				(data_buf[7] & 0x70) >> 4,
+				(data_buf[7] & 0x80) >> 7,
+				data_buf[8]
+			);
 		}
 
 		// Header area is only available on IM-S cards, on master tokens this data is the master token data itself
@@ -175,129 +180,127 @@ int CmdLegicDecode(const char *Cmd) {
 				PrintAndLog("Master token data");
 				PrintAndLog("%s", sprint_hex(data_buf+8, 14));
 			} else {
-	PrintAndLog("Remaining Header Area");
-	PrintAndLog("%s", sprint_hex(data_buf+9, 13));
+				PrintAndLog("Remaining Header Area");
+				PrintAndLog("%s", sprint_hex(data_buf+9, 13));
 			}
 		}
 	}
-
 	
-	uint8_t segCrcBytes[8] = {0x00};
+	uint8_t segCrcBytes[8] = {0,0,0,0,0,0,0,0};
 	uint32_t segCalcCRC = 0;
 	uint32_t segCRC = 0;
 
-
 	// Data card?
 	if(dcf <= 60000) {
 	
-	PrintAndLog("\nADF: User Area");
-	PrintAndLog("------------------------------------------------------");
+		PrintAndLog("\nADF: User Area");
+		PrintAndLog("------------------------------------------------------");
 
 		if(bIsSegmented) {
 
 			// Data start point on segmented cards
-	i = 22;  
+			i = 22;  
 
 			// decode segments
 			for (segmentNum=1; segmentNum < 128; segmentNum++ )
 			{
-		segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
-		segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
-		wrp = (data_buf[i+2]^crc);
-		wrc = ((data_buf[i+3]^crc)&0x70)>>4;
-
-		bool hasWRC = (wrc > 0);
-		bool hasWRP = (wrp > wrc);
-		int wrp_len = (wrp - wrc);
-		int remain_seg_payload_len = (segment_len - wrp - 5);
+				segment_len = ((data_buf[i+1] ^ crc) & 0x0f) * 256 + (data_buf[i] ^ crc);
+				segment_flag = ((data_buf[i+1] ^ crc) & 0xf0) >> 4;
+				wrp = (data_buf[i+2] ^ crc);
+				wrc = ((data_buf[i+3] ^ crc) & 0x70) >> 4;
+
+				bool hasWRC = (wrc > 0);
+				bool hasWRP = (wrp > wrc);
+				int wrp_len = (wrp - wrc);
+				int remain_seg_payload_len = (segment_len - wrp - 5);
 		
-		// validate segment-crc
-		segCrcBytes[0]=data_buf[0];			//uid0
-		segCrcBytes[1]=data_buf[1];			//uid1
-		segCrcBytes[2]=data_buf[2];			//uid2
-		segCrcBytes[3]=data_buf[3];			//uid3
-		segCrcBytes[4]=(data_buf[i]^crc); 	//hdr0
-		segCrcBytes[5]=(data_buf[i+1]^crc); //hdr1
-		segCrcBytes[6]=(data_buf[i+2]^crc); //hdr2
-		segCrcBytes[7]=(data_buf[i+3]^crc); //hdr3
-
-		segCalcCRC = CRC8Legic(segCrcBytes, 8);
-		segCRC = data_buf[i+4]^crc;
-
-		PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u,  Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)",
-			segmentNum,
-			data_buf[i]^crc,
-			data_buf[i+1]^crc,
-			data_buf[i+2]^crc,
-			data_buf[i+3]^crc,
-			segment_len, 
-			segment_flag,
-			(segment_flag & 0x4) >> 2,
-			(segment_flag & 0x8) >> 3,
-			wrp,
-			wrc,
-			((data_buf[i+3]^crc) & 0x80) >> 7,
-			segCRC,
-			( segCRC == segCalcCRC ) ? "OK" : "fail"
-		);
-
-		i += 5;
+				// validate segment-crc
+				segCrcBytes[0]=data_buf[0];			//uid0
+				segCrcBytes[1]=data_buf[1];			//uid1
+				segCrcBytes[2]=data_buf[2];			//uid2
+				segCrcBytes[3]=data_buf[3];			//uid3
+				segCrcBytes[4]=(data_buf[i] ^ crc);   //hdr0
+				segCrcBytes[5]=(data_buf[i+1] ^ crc); //hdr1
+				segCrcBytes[6]=(data_buf[i+2] ^ crc); //hdr2
+				segCrcBytes[7]=(data_buf[i+3] ^ crc); //hdr3
+
+				segCalcCRC = CRC8Legic(segCrcBytes, 8);
+				segCRC = data_buf[i+4] ^ crc;
+
+				PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u,  Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)",
+					segmentNum,
+					data_buf[i] ^ crc,
+					data_buf[i+1] ^ crc,
+					data_buf[i+2] ^ crc,
+					data_buf[i+3] ^ crc,
+					segment_len, 
+					segment_flag,
+					(segment_flag & 0x4) >> 2,
+					(segment_flag & 0x8) >> 3,
+					wrp,
+					wrc,
+					((data_buf[i+3]^crc) & 0x80) >> 7,
+					segCRC,
+					( segCRC == segCalcCRC ) ? "OK" : "fail"
+				);
+
+				i += 5;
     
-		if ( hasWRC ) {
-			PrintAndLog("WRC protected area:   (I %d | K %d| WRC %d)", i, k, wrc);
-			PrintAndLog("\nrow  | data");
-			PrintAndLog("-----+------------------------------------------------");
+				if ( hasWRC ) {
+					PrintAndLog("WRC protected area:   (I %d | K %d| WRC %d)", i, k, wrc);
+					PrintAndLog("\nrow  | data");
+					PrintAndLog("-----+------------------------------------------------");
 
-					for ( k=i; k < (i+wrc); ++k)
-					data_buf[k] ^= crc;
+					for ( k=i; k < (i + wrc); ++k)
+						data_buf[k] ^= crc;
 
-			print_hex_break( data_buf+i, wrc, 16);
+					print_hex_break( data_buf+i, wrc, 16);
 			
-			i += wrc;
-		}
+					i += wrc;
+				}
     
-		if ( hasWRP ) {
-			PrintAndLog("Remaining write protected area:  (I %d | K %d | WRC %d | WRP %d  WRP_LEN %d)",i, k, wrc, wrp, wrp_len);
-			PrintAndLog("\nrow  | data");
-			PrintAndLog("-----+------------------------------------------------");
+				if ( hasWRP ) {
+					PrintAndLog("Remaining write protected area:  (I %d | K %d | WRC %d | WRP %d  WRP_LEN %d)",i, k, wrc, wrp, wrp_len);
+					PrintAndLog("\nrow  | data");
+					PrintAndLog("-----+------------------------------------------------");
 
 					for (k=i; k < (i+wrp_len); ++k)
-					data_buf[k] ^= crc;
+						data_buf[k] ^= crc;
 			
-			print_hex_break( data_buf+i, wrp_len, 16);
+					print_hex_break( data_buf+i, wrp_len, 16);
 			
-			i += wrp_len;
+					i += wrp_len;
 			
 					// does this one work? (Answer: Only if KGH/BGH is used with BCD encoded card number! So maybe this will show just garbage...)
-			if( wrp_len == 8 )
-				PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);			
-		}
+					if( wrp_len == 8 )
+						PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);			
+				}
     
-		PrintAndLog("Remaining segment payload:  (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len);
-		PrintAndLog("\nrow  | data");
-		PrintAndLog("-----+------------------------------------------------");
+				PrintAndLog("Remaining segment payload:  (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len);
+				PrintAndLog("\nrow  | data");
+				PrintAndLog("-----+------------------------------------------------");
 
 				for ( k=i; k < (i+remain_seg_payload_len); ++k)
-				data_buf[k] ^= crc;
+					data_buf[k] ^= crc;
 		
-		print_hex_break( data_buf+i, remain_seg_payload_len, 16);
+				print_hex_break( data_buf+i, remain_seg_payload_len, 16);
     
-		i += remain_seg_payload_len;
+				i += remain_seg_payload_len;
 		
-		PrintAndLog("-----+------------------------------------------------\n");
+				PrintAndLog("-----+------------------------------------------------\n");
 
-		// end with last segment
-		if (segment_flag & 0x8) return 0;
+				// end with last segment
+				if (segment_flag & 0x8) return 0;
 
-	} // end for loop
+			} // end for loop
 		
 		} else {
 
 			// Data start point on unsegmented cards
 			i = 8;
 
-			wrp          = data_buf[7] & 0x0F;
-			wrc          = (data_buf[7] & 0x07) >> 4;
+			wrp = data_buf[7] & 0x0F;
+			wrc = (data_buf[7] & 0x70) >> 4;
 
 			bool hasWRC = (wrc > 0);
 			bool hasWRP = (wrp > wrc);
@@ -322,7 +325,7 @@ int CmdLegicDecode(const char *Cmd) {
 				PrintAndLog("Remaining write protected area:  (I %d | WRC %d | WRP %d | WRP_LEN %d)", i, wrc, wrp, wrp_len);
 				PrintAndLog("\nrow  | data");
 				PrintAndLog("-----+------------------------------------------------");
-				print_hex_break( data_buf+i, wrp_len, 16);
+				print_hex_break( data_buf + i, wrp_len, 16);
 				i += wrp_len;
 			
 				// does this one work? (Answer: Only if KGH/BGH is used with BCD encoded card number! So maybe this will show just garbage...)
@@ -333,13 +336,12 @@ int CmdLegicDecode(const char *Cmd) {
 			PrintAndLog("Remaining segment payload:  (I %d | Remain LEN %d)", i, remain_seg_payload_len);
 			PrintAndLog("\nrow  | data");
 			PrintAndLog("-----+------------------------------------------------");
-			print_hex_break( data_buf+i, remain_seg_payload_len, 16);
+			print_hex_break( data_buf + i, remain_seg_payload_len, 16);
 			i += remain_seg_payload_len;
 		
 			PrintAndLog("-----+------------------------------------------------\n");
 		}
 	}
-
 	return 0;
 }
 
@@ -351,7 +353,7 @@ int CmdLegicRFRead(const char *Cmd) {
 	char cmdp = param_getchar(Cmd, 0);
 	if ( cmdp == 'H' || cmdp == 'h' ) return usage_legic_read();
 	
-	int byte_count=0, offset=0;
+	int byte_count = 0, offset = 0;
 	sscanf(Cmd, "%i %i", &offset, &byte_count);
 	if(byte_count == 0) byte_count = -1;
 	if(byte_count + offset > 1024) byte_count = 1024 - offset;
@@ -362,8 +364,10 @@ int CmdLegicRFRead(const char *Cmd) {
 	return 0;
 }
 
+
 int CmdLegicLoad(const char *Cmd) {
-	
+
+// iceman: potential bug, where all filepaths or filename which starts with H or h will print the helptext :)	
 	char cmdp = param_getchar(Cmd, 0);
 	if ( cmdp == 'H' || cmdp == 'h' || cmdp == 0x00) return usage_legic_load();
 
@@ -444,9 +448,11 @@ int CmdLegicSave(const char *Cmd) {
 	int requested = 1024;
 	int offset = 0;
 	int delivered = 0;
-	char filename[FILE_PATH_SIZE];
+	char filename[FILE_PATH_SIZE] = {0x00};
 	uint8_t got[1024] = {0x00};
 
+	memset(filename, 0, FILE_PATH_SIZE);
+	
 	sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
 
 	/* If no length given save entire legic read buffer */
@@ -501,7 +507,7 @@ int CmdLegicRfSim(const char *Cmd) {
 
 //TODO: write a help text (iceman)
 int CmdLegicRfWrite(const char *Cmd) {
-    UsbCommand c = {CMD_WRITER_LEGIC_RF};
+    UsbCommand c = {CMD_WRITER_LEGIC_RF, {0,0,0}};
     int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
 	if(res != 2) {
 		PrintAndLog("Please specify the offset and length as two hex strings");
@@ -570,20 +576,42 @@ int CmdLegicCalcCrc8(const char *Cmd){
 	uint8_t cmdp = 0, uidcrc = 0, type=0;
 	bool errors = false;
 	int len = 0;
+	int bg, en;
 	
 	while(param_getchar(Cmd, cmdp) != 0x00) {
 		switch(param_getchar(Cmd, cmdp)) {
 		case 'b':
 		case 'B':
-			data = malloc(len);
+			// peek at length of the input string so we can
+			// figure out how many elements to malloc in "data"
+			bg=en=0;
+			if (param_getptr(Cmd, &bg, &en, cmdp+1)) {
+				errors = true;
+				break;
+			}
+			len = (en - bg + 1);
+
+			// check that user entered even number of characters
+			// for hex data string
+			if (len & 1) {
+				errors = true;
+				break;
+			}
+
+			// it's possible for user to accidentally enter "b" parameter
+			// more than once - we have to clean previous malloc
+			if (data) free(data);
+			data = malloc(len >> 1);
 			if ( data == NULL ) {
 				PrintAndLog("Can't allocate memory. exiting");
 				errors = true;
 				break;
-			}			
-			param_gethex_ex(Cmd, cmdp+1, data, &len);
-			// if odd symbols, (hexbyte must be two symbols)
-			if ( len & 1 ) errors = true;
+			}
+			
+			if (param_gethex(Cmd, cmdp+1, data, len)) {
+				errors = true;
+				break;
+			}
 
 			len >>= 1;	
 			cmdp += 2;