]> cvs.zerfleddert.de Git - proxmark3-svn/blame - client/cmdhflegic.c
CHG: making sure no buffer overflows will occure in ul_send_cmd_raw by adding respon...
[proxmark3-svn] / client / cmdhflegic.c
CommitLineData
a553f267 1//-----------------------------------------------------------------------------
2// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// High frequency Legic commands
9//-----------------------------------------------------------------------------
10
8e220a91 11#include <stdio.h>
12#include <string.h>
902cb3c0 13#include "proxmark3.h"
41dab153 14#include "data.h"
15#include "ui.h"
7fe9b0b7 16#include "cmdparser.h"
17#include "cmdhflegic.h"
669c1b80 18#include "cmdmain.h"
31d1caa5 19#include "util.h"
7fe9b0b7 20static int CmdHelp(const char *Cmd);
21
7fe9b0b7 22static command_t CommandTable[] =
23{
24 {"help", CmdHelp, 1, "This help"},
669c1b80 25 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
41dab153 26 {"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
3612a8a8 27 {"save", CmdLegicSave, 0, "<filename> [<length>] -- Store samples"},
28 {"load", CmdLegicLoad, 0, "<filename> -- Restore samples"},
29 {"sim", CmdLegicRfSim, 0, "[phase drift [frame drift [req/resp drift]]] Start tag simulator (use after load or read)"},
30 {"write", CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
31 {"fill", CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
7fe9b0b7 32 {NULL, NULL, 0, NULL}
33};
34
35int CmdHFLegic(const char *Cmd)
36{
37 CmdsParse(CommandTable, Cmd);
38 return 0;
39}
40
41int CmdHelp(const char *Cmd)
42{
43 CmdsHelp(CommandTable);
44 return 0;
45}
669c1b80 46
47/*
48 * Output BigBuf and deobfuscate LEGIC RF tag data.
49 * This is based on information given in the talk held
50 * by Henryk Ploetz and Karsten Nohl at 26c3
669c1b80 51 */
52int CmdLegicDecode(const char *Cmd)
53{
4961e292 54 int i, j, k, n;
669c1b80 55 int segment_len = 0;
56 int segment_flag = 0;
57 int stamp_len = 0;
58 int crc = 0;
59 int wrp = 0;
60 int wrc = 0;
4961e292 61 uint8_t data_buf[1024]; // receiver buffer
669c1b80 62 char out_string[3076]; // just use big buffer - bad practice
63 char token_type[4];
669c1b80 64
65 // copy data from proxmark into buffer
4961e292 66 GetFromBigBuf(data_buf,sizeof(data_buf),0);
67 WaitForResponse(CMD_ACK,NULL);
669c1b80 68
69 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
70
71 PrintAndLog("\nCDF: System Area");
72
73 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
74 data_buf[0],
75 data_buf[1],
76 data_buf[2],
77 data_buf[3],
78 data_buf[4]
79 );
80
81 crc = data_buf[4];
82
83 switch (data_buf[5]&0x7f) {
84 case 0x00 ... 0x2f:
85 strncpy(token_type, "IAM",sizeof(token_type));
86 break;
87 case 0x30 ... 0x6f:
88 strcpy(token_type, "SAM");
89 break;
90 case 0x70 ... 0x7f:
91 strcpy(token_type, "GAM");
92 break;
93 default:
94 strcpy(token_type, "???");
95 break;
96 }
97
98 stamp_len = 0xfc - data_buf[6];
99
100 PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
101 data_buf[5],
102 data_buf[6],
103 token_type,
104 (data_buf[5]&0x80)>>7,
105 stamp_len
106 );
107
108 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
109 data_buf[7]&0x0f,
110 (data_buf[7]&0x70)>>4,
111 (data_buf[7]&0x80)>>7,
112 data_buf[7],
113 data_buf[8]
114 );
115
116 PrintAndLog("Remaining Header Area");
117
118 PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
119 data_buf[9],
120 data_buf[10],
121 data_buf[11],
122 data_buf[12],
123 data_buf[13],
124 data_buf[14],
125 data_buf[15],
126 data_buf[16],
127 data_buf[17],
128 data_buf[18],
129 data_buf[19],
130 data_buf[20],
131 data_buf[21]
132 );
133
134 PrintAndLog("\nADF: User Area");
135
41dab153 136 i = 22;
669c1b80 137 for (n=0; n<64; n++) {
138 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
139 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
140
141 wrp = (data_buf[i+2]^crc);
142 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
143
144 PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
145 n,
146 data_buf[i]^crc,
147 data_buf[i+1]^crc,
148 data_buf[i+2]^crc,
149 data_buf[i+3]^crc,
150 segment_flag,
151 (segment_flag&0x4)>>2,
152 (segment_flag&0x8)>>3,
153 segment_len,
154 wrp,
155 wrc,
156 ((data_buf[i+3]^crc)&0x80)>>7,
157 (data_buf[i+4]^crc)
158 );
159
160 i+=5;
161
162 if (wrc>0) {
163 PrintAndLog("WRC protected area:");
31332265 164 for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80 165 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
166 out_string[j+2] = ' ';
167 };
168
169 out_string[j] = '\0';
170
171 PrintAndLog("%s", out_string);
172 }
173
174 if (wrp>wrc) {
175 PrintAndLog("Remaining write protected area:");
176
31332265 177 for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80 178 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
179 out_string[j+2] = ' ';
180 };
181
182 out_string[j] = '\0';
183
184 PrintAndLog("%s", out_string);
185 if((wrp-wrc) == 8) {
186 sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
187 PrintAndLog("%s", out_string);
188 }
189 }
190
191 PrintAndLog("Remaining segment payload:");
31332265 192 for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80 193 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
194 out_string[j+2] = ' ';
195 };
196
197 out_string[j] = '\0';
198
199 PrintAndLog("%s", out_string);
200
201 // end with last segment
202 if (segment_flag & 0x8)
203 return 0;
204 };
205 return 0;
206}
41dab153 207
208int CmdLegicRFRead(const char *Cmd)
209{
210 int byte_count=0,offset=0;
211 sscanf(Cmd, "%i %i", &offset, &byte_count);
a2b1414f 212 if(byte_count == 0) byte_count = -1;
213 if(byte_count + offset > 1024) byte_count = 1024 - offset;
41dab153 214 UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
215 SendCommand(&c);
216 return 0;
217}
3612a8a8 218
219int CmdLegicLoad(const char *Cmd)
220{
b915fda3 221 char filename[FILE_PATH_SIZE] = {0x00};
222 int len = 0;
223
224 if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
225 PrintAndLog("It loads datasamples from the file `filename`");
226 PrintAndLog("Usage: hf legic load <file name>");
227 PrintAndLog(" sample: hf legic load filename");
228 return 0;
229 }
230
231 len = strlen(Cmd);
232 if (len > FILE_PATH_SIZE) {
233 PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
234 return 0;
235 }
236 memcpy(filename, Cmd, len);
237
238 FILE *f = fopen(filename, "r");
3612a8a8 239 if(!f) {
240 PrintAndLog("couldn't open '%s'", Cmd);
241 return -1;
242 }
243 char line[80]; int offset = 0; unsigned int data[8];
244 while(fgets(line, sizeof(line), f)) {
245 int res = sscanf(line, "%x %x %x %x %x %x %x %x",
246 &data[0], &data[1], &data[2], &data[3],
247 &data[4], &data[5], &data[6], &data[7]);
248 if(res != 8) {
249 PrintAndLog("Error: could not read samples");
250 fclose(f);
251 return -1;
252 }
253 UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 0, 0}};
254 int j; for(j = 0; j < 8; j++) {
255 c.d.asBytes[j] = data[j];
256 }
257 SendCommand(&c);
902cb3c0 258 WaitForResponse(CMD_ACK, NULL);
3612a8a8 259 offset += 8;
260 }
261 fclose(f);
262 PrintAndLog("loaded %u samples", offset);
263 return 0;
264}
265
266int CmdLegicSave(const char *Cmd)
267{
3612a8a8 268 int requested = 1024;
269 int offset = 0;
4961e292 270 int delivered = 0;
b915fda3 271 char filename[FILE_PATH_SIZE];
4961e292 272 uint8_t got[1024];
273
3612a8a8 274 sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
3612a8a8 275
4961e292 276 /* If no length given save entire legic read buffer */
277 /* round up to nearest 8 bytes so the saved data can be used with legicload */
3612a8a8 278 if (requested == 0) {
4961e292 279 requested = 1024;
3612a8a8 280 }
4961e292 281 if (requested % 8 != 0) {
282 int remainder = requested % 8;
283 requested = requested + 8 - remainder;
284 }
4961e292 285 if (offset + requested > sizeof(got)) {
286 PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
287 return 0;
288 }
289
3612a8a8 290 FILE *f = fopen(filename, "w");
291 if(!f) {
292 PrintAndLog("couldn't open '%s'", Cmd+1);
293 return -1;
294 }
295
4961e292 296 GetFromBigBuf(got,requested,offset);
297 WaitForResponse(CMD_ACK,NULL);
298
299 for (int j = 0; j < requested; j += 8) {
300 fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
301 got[j+0],
302 got[j+1],
303 got[j+2],
304 got[j+3],
305 got[j+4],
306 got[j+5],
307 got[j+6],
308 got[j+7]
309 );
310 delivered += 8;
3612a8a8 311 if (delivered >= requested)
312 break;
313 }
314
315 fclose(f);
316 PrintAndLog("saved %u samples", delivered);
317 return 0;
318}
319
320int CmdLegicRfSim(const char *Cmd)
321{
322 UsbCommand c={CMD_SIMULATE_TAG_LEGIC_RF};
323 c.arg[0] = 6;
324 c.arg[1] = 3;
325 c.arg[2] = 0;
1a07fd51 326 sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
3612a8a8 327 SendCommand(&c);
328 return 0;
329}
330
331int CmdLegicRfWrite(const char *Cmd)
332{
333 UsbCommand c={CMD_WRITER_LEGIC_RF};
125a98a1 334 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
3612a8a8 335 if(res != 2) {
336 PrintAndLog("Please specify the offset and length as two hex strings");
337 return -1;
338 }
339 SendCommand(&c);
340 return 0;
341}
342
343int CmdLegicRfFill(const char *Cmd)
344{
345 UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
1a07fd51 346 int res = sscanf(Cmd, " 0x%"llx" 0x%"llx" 0x%"llx, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
3612a8a8 347 if(res != 3) {
348 PrintAndLog("Please specify the offset, length and value as two hex strings");
349 return -1;
350 }
351
352 int i;
353 UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 0, 0}};
354 for(i = 0; i < 48; i++) {
355 c.d.asBytes[i] = cmd.arg[2];
356 }
357 for(i = 0; i < 22; i++) {
358 c.arg[0] = i*48;
359 SendCommand(&c);
902cb3c0 360 WaitForResponse(CMD_ACK,NULL);
3612a8a8 361 }
362 SendCommand(&cmd);
363 return 0;
364 }
365
Impressum, Datenschutz