[proxmark3-svn] / client / cmdhflegic.c

#include <stdio.h>
#include <string.h>
#include "proxusb.h"
#include "data.h"
#include "ui.h"
#include "cmdparser.h"
#include "cmdhflegic.h"
#include "cmdmain.h"

static int CmdHelp(const char *Cmd);

static command_t CommandTable[] = 
{
  {"help",        CmdHelp,        1, "This help"},
  {"decode",      CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
  {"reader",      CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
  {NULL, NULL, 0, NULL}
};

int CmdHFLegic(const char *Cmd)
{
  CmdsParse(CommandTable, Cmd);
  return 0;
}

int CmdHelp(const char *Cmd)
{
  CmdsHelp(CommandTable);
  return 0;
}

/*
 *  Output BigBuf and deobfuscate LEGIC RF tag data.
 *   This is based on information given in the talk held
 *  by Henryk Ploetz and Karsten Nohl at 26c3
 */
int CmdLegicDecode(const char *Cmd)
{
  int h, i, j, k, n;
  int segment_len = 0;
  int segment_flag = 0;
  int stamp_len = 0;
  int crc = 0;
  int wrp = 0;
  int wrc = 0;
  int data_buf[1032]; // receiver buffer
  char out_string[3076]; // just use big buffer - bad practice
  char token_type[4];
  int delivered = 0;

  h = 0;
  
  // copy data from proxmark into buffer
  for (i = 0; i < 256; i += 12, h += 48) {
    UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}};
    SendCommand(&c);
    WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K);
    
    for (j = 0; j < 48; j += 8) {
      for (k = 0; k < 8; k++) {
        data_buf[h+j+k] = sample_buf[j+k];
      }
      delivered += 8;
      if (delivered >= 1024)
        break;
    }
  }
    
  // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
  
  PrintAndLog("\nCDF: System Area");
  
  PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
    data_buf[0],
    data_buf[1],
    data_buf[2],
    data_buf[3],
    data_buf[4]
  );
  
  crc = data_buf[4];
 
  switch (data_buf[5]&0x7f) {
    case 0x00 ... 0x2f:
      strncpy(token_type, "IAM",sizeof(token_type));
      break;
    case 0x30 ... 0x6f:
      strcpy(token_type, "SAM");
      break;
    case 0x70 ... 0x7f:
      strcpy(token_type, "GAM");
      break;
    default:
      strcpy(token_type, "???");
      break;
  }
  
  stamp_len = 0xfc - data_buf[6];
  
  PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
    data_buf[5],
    data_buf[6],
    token_type,
    (data_buf[5]&0x80)>>7,
    stamp_len
  );
  
  PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
    data_buf[7]&0x0f,
    (data_buf[7]&0x70)>>4,
    (data_buf[7]&0x80)>>7,
    data_buf[7],
    data_buf[8]
  );
  
  PrintAndLog("Remaining Header Area");
  
  PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
      data_buf[9],
    data_buf[10],
    data_buf[11],
    data_buf[12],
    data_buf[13],
    data_buf[14],
    data_buf[15],
    data_buf[16],
    data_buf[17],
    data_buf[18],
    data_buf[19],
    data_buf[20],
    data_buf[21]
  );
  
  PrintAndLog("\nADF: User Area");
  
  i = 22;  
  for (n=0; n<64; n++) {
    segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
    segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
    
    wrp = (data_buf[i+2]^crc);
    wrc = ((data_buf[i+3]^crc)&0x70)>>4;
    
     PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
      n,
      data_buf[i]^crc,
      data_buf[i+1]^crc,
      data_buf[i+2]^crc,
      data_buf[i+3]^crc,
      segment_flag,
      (segment_flag&0x4)>>2,
      (segment_flag&0x8)>>3,
      segment_len,
      wrp,
      wrc,
      ((data_buf[i+3]^crc)&0x80)>>7,
      (data_buf[i+4]^crc)
    );
    
    i+=5;
    
    if (wrc>0) {
      PrintAndLog("WRC protected area:");
      for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
        out_string[j+2] = ' ';
      };
        
      out_string[j] = '\0';
    
      PrintAndLog("%s", out_string);
    }
    
    if (wrp>wrc) {
      PrintAndLog("Remaining write protected area:");
      
      for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
        sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
        out_string[j+2] = ' ';
      };
    
      out_string[j] = '\0';
    
      PrintAndLog("%s", out_string);
      if((wrp-wrc) == 8) {
        sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
        PrintAndLog("%s", out_string);
      }
    }
    
    PrintAndLog("Remaining segment payload:");
    for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
      sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
      out_string[j+2] = ' ';
    };
    
    out_string[j] = '\0';
    
    PrintAndLog("%s", out_string);
    
    // end with last segment
    if (segment_flag & 0x8)
      return 0;
  };
  return 0;
}

int CmdLegicRFRead(const char *Cmd)
{
  int byte_count=0,offset=0;
  sscanf(Cmd, "%i %i", &offset, &byte_count);
  if(byte_count == 0) byte_count = 256;
  if(byte_count + offset > 256) byte_count = 256 - offset;
  UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
  SendCommand(&c);
  return 0;
}
Commit	Line	Data
8e220a91	1	#include <stdio.h>
8e220a91	2	#include <string.h>
7fe9b0b7	3	#include "proxusb.h"
41dab153	4	#include "data.h"
41dab153	5	#include "ui.h"
7fe9b0b7	6	#include "cmdparser.h"
7fe9b0b7	7	#include "cmdhflegic.h"
669c1b80	8	#include "cmdmain.h"
7fe9b0b7	9
	10	static int CmdHelp(const char *Cmd);
	11
7fe9b0b7	12	static command_t CommandTable[] =
	13	{
	14	{"help", CmdHelp, 1, "This help"},
669c1b80	15	{"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
41dab153	16	{"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
7fe9b0b7	17	{NULL, NULL, 0, NULL}
	18	};
	19
	20	int CmdHFLegic(const char *Cmd)
	21	{
	22	CmdsParse(CommandTable, Cmd);
	23	return 0;
	24	}
	25
	26	int CmdHelp(const char *Cmd)
	27	{
	28	CmdsHelp(CommandTable);
	29	return 0;
	30	}
669c1b80	31
	32	/*
	33	* Output BigBuf and deobfuscate LEGIC RF tag data.
	34	* This is based on information given in the talk held
	35	* by Henryk Ploetz and Karsten Nohl at 26c3
669c1b80	36	*/
	37	int CmdLegicDecode(const char *Cmd)
	38	{
	39	int h, i, j, k, n;
	40	int segment_len = 0;
	41	int segment_flag = 0;
	42	int stamp_len = 0;
	43	int crc = 0;
	44	int wrp = 0;
	45	int wrc = 0;
	46	int data_buf[1032]; // receiver buffer
	47	char out_string[3076]; // just use big buffer - bad practice
	48	char token_type[4];
	49	int delivered = 0;
	50
	51	h = 0;
	52
	53	// copy data from proxmark into buffer
	54	for (i = 0; i < 256; i += 12, h += 48) {
	55	UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}};
	56	SendCommand(&c);
	57	WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K);
	58
	59	for (j = 0; j < 48; j += 8) {
	60	for (k = 0; k < 8; k++) {
	61	data_buf[h+j+k] = sample_buf[j+k];
	62	}
	63	delivered += 8;
	64	if (delivered >= 1024)
	65	break;
	66	}
	67	}
	68
	69	// Output CDF System area (9 bytes) plus remaining header area (12 bytes)
	70
	71	PrintAndLog("\nCDF: System Area");
	72
	73	PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
	74	data_buf[0],
	75	data_buf[1],
	76	data_buf[2],
	77	data_buf[3],
	78	data_buf[4]
	79	);
	80
	81	crc = data_buf[4];
	82
	83	switch (data_buf[5]&0x7f) {
	84	case 0x00 ... 0x2f:
	85	strncpy(token_type, "IAM",sizeof(token_type));
	86	break;
	87	case 0x30 ... 0x6f:
	88	strcpy(token_type, "SAM");
	89	break;
	90	case 0x70 ... 0x7f:
	91	strcpy(token_type, "GAM");
	92	break;
	93	default:
	94	strcpy(token_type, "???");
	95	break;
	96	}
	97
	98	stamp_len = 0xfc - data_buf[6];
	99
100	PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
101	data_buf[5],
102	data_buf[6],
103	token_type,
104	(data_buf[5]&0x80)>>7,
105	stamp_len
106	);
107
108	PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
109	data_buf[7]&0x0f,
110	(data_buf[7]&0x70)>>4,
111	(data_buf[7]&0x80)>>7,
112	data_buf[7],
113	data_buf[8]
114	);
115
116	PrintAndLog("Remaining Header Area");
117
118	PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
119	data_buf[9],
120	data_buf[10],
121	data_buf[11],
122	data_buf[12],
123	data_buf[13],
124	data_buf[14],
125	data_buf[15],
126	data_buf[16],
127	data_buf[17],
128	data_buf[18],
129	data_buf[19],
130	data_buf[20],
131	data_buf[21]
132	);
133
134	PrintAndLog("\nADF: User Area");
135
41dab153	136	i = 22;
669c1b80	137	for (n=0; n<64; n++) {
	138	segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
	139	segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
	140
	141	wrp = (data_buf[i+2]^crc);
	142	wrc = ((data_buf[i+3]^crc)&0x70)>>4;
	143
	144	PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
	145	n,
	146	data_buf[i]^crc,
	147	data_buf[i+1]^crc,
	148	data_buf[i+2]^crc,
	149	data_buf[i+3]^crc,
	150	segment_flag,
	151	(segment_flag&0x4)>>2,
	152	(segment_flag&0x8)>>3,
	153	segment_len,
	154	wrp,
	155	wrc,
	156	((data_buf[i+3]^crc)&0x80)>>7,
	157	(data_buf[i+4]^crc)
	158	);
	159
	160	i+=5;
	161
	162	if (wrc>0) {
	163	PrintAndLog("WRC protected area:");
31332265	164	for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	165	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	166	out_string[j+2] = ' ';
	167	};
	168
	169	out_string[j] = '\0';
	170
	171	PrintAndLog("%s", out_string);
	172	}
	173
	174	if (wrp>wrc) {
	175	PrintAndLog("Remaining write protected area:");
	176
31332265	177	for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	178	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	179	out_string[j+2] = ' ';
	180	};
	181
	182	out_string[j] = '\0';
	183
	184	PrintAndLog("%s", out_string);
	185	if((wrp-wrc) == 8) {
	186	sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
	187	PrintAndLog("%s", out_string);
	188	}
	189	}
	190
	191	PrintAndLog("Remaining segment payload:");
31332265	192	for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
669c1b80	193	sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
	194	out_string[j+2] = ' ';
	195	};
	196
	197	out_string[j] = '\0';
	198
	199	PrintAndLog("%s", out_string);
	200
	201	// end with last segment
	202	if (segment_flag & 0x8)
	203	return 0;
	204	};
	205	return 0;
	206	}
41dab153	207
	208	int CmdLegicRFRead(const char *Cmd)
	209	{
	210	int byte_count=0,offset=0;
	211	sscanf(Cmd, "%i %i", &offset, &byte_count);
	212	if(byte_count == 0) byte_count = 256;
	213	if(byte_count + offset > 256) byte_count = 256 - offset;
	214	UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
	215	SendCommand(&c);
	216	return 0;
	217	}