1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
7 //-----------------------------------------------------------------------------
8 // High frequency Legic commands
9 //-----------------------------------------------------------------------------
11 #include "cmdhflegic.h"
18 #include "cmdparser.h"
21 #include "../include/legic.h"
23 static int CmdHelp(const char *Cmd
);
25 static command_t CommandTable
[] =
27 {"help", CmdHelp
, 1, "This help"},
28 {"decode", CmdLegicDecode
, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
29 {"reader", CmdLegicRFRead
, 0, "[offset [length]] -- read bytes from a LEGIC card"},
30 {"save", CmdLegicSave
, 0, "<filename> [<length>] -- Store samples"},
31 {"load", CmdLegicLoad
, 0, "<filename> -- Restore samples"},
32 {"sim", CmdLegicRfSim
, 0, "[tagtype, 0:MIM22, 1:MIM256, 2:MIM1024] Start tag simulator (use after load or read)"},
33 {"write", CmdLegicRfWrite
,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
34 {"fill", CmdLegicRfFill
, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
38 int CmdHFLegic(const char *Cmd
)
40 CmdsParse(CommandTable
, Cmd
);
44 int CmdHelp(const char *Cmd
)
46 CmdsHelp(CommandTable
);
51 * Output BigBuf and deobfuscate LEGIC RF tag data.
52 * This is based on information given in the talk held
53 * by Henryk Ploetz and Karsten Nohl at 26c3
55 int CmdLegicDecode(const char *Cmd
)
64 uint8_t data_buf
[1053]; // receiver buffer
65 char out_string
[3076]; // just use big buffer - bad practice
68 // copy data from proxmark into buffer
69 GetFromBigBuf(data_buf
, sizeof(data_buf
), 0, NULL
, -1, false);
71 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
73 PrintAndLog("\nCDF: System Area");
75 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
85 switch (data_buf
[5]&0x7f) {
87 strncpy(token_type
, "IAM",sizeof(token_type
));
90 strcpy(token_type
, "SAM");
93 strcpy(token_type
, "GAM");
96 strcpy(token_type
, "???");
100 stamp_len
= 0xfc - data_buf
[6];
102 PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
106 (data_buf
[5]&0x80)>>7,
110 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
112 (data_buf
[7]&0x70)>>4,
113 (data_buf
[7]&0x80)>>7,
118 PrintAndLog("Remaining Header Area");
120 PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
136 PrintAndLog("\nADF: User Area");
139 for (n
=0; n
<64; n
++) {
140 segment_len
= ((data_buf
[i
+1]^crc
)&0x0f) * 256 + (data_buf
[i
]^crc
);
141 segment_flag
= ((data_buf
[i
+1]^crc
)&0xf0)>>4;
143 wrp
= (data_buf
[i
+2]^crc
);
144 wrc
= ((data_buf
[i
+3]^crc
)&0x70)>>4;
146 PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
153 (segment_flag
&0x4)>>2,
154 (segment_flag
&0x8)>>3,
158 ((data_buf
[i
+3]^crc
)&0x80)>>7,
165 PrintAndLog("WRC protected area:");
166 for (k
=0, j
=0; k
< wrc
&& j
<(sizeof(out_string
)-3); k
++, i
++, j
+= 3) {
167 sprintf(&out_string
[j
], "%02x", (data_buf
[i
]^crc
));
168 out_string
[j
+2] = ' ';
171 out_string
[j
] = '\0';
173 PrintAndLog("%s", out_string
);
177 PrintAndLog("Remaining write protected area:");
179 for (k
=0, j
=0; k
< (wrp
-wrc
) && j
<(sizeof(out_string
)-3); k
++, i
++, j
+= 3) {
180 sprintf(&out_string
[j
], "%02x", (data_buf
[i
]^crc
));
181 out_string
[j
+2] = ' ';
184 out_string
[j
] = '\0';
186 PrintAndLog("%s", out_string
);
188 sprintf(out_string
,"Card ID: %2X%02X%02X",data_buf
[i
-4]^crc
,data_buf
[i
-3]^crc
,data_buf
[i
-2]^crc
);
189 PrintAndLog("%s", out_string
);
193 PrintAndLog("Remaining segment payload:");
194 for (k
=0, j
=0; k
< (segment_len
- wrp
- 5) && j
<(sizeof(out_string
)-3); k
++, i
++, j
+= 3) {
195 sprintf(&out_string
[j
], "%02x", (data_buf
[i
]^crc
));
196 out_string
[j
+2] = ' ';
199 out_string
[j
] = '\0';
201 PrintAndLog("%s", out_string
);
203 // end with last segment
204 if (segment_flag
& 0x8)
210 int CmdLegicRFRead(const char *Cmd
)
212 int byte_count
=0,offset
=0;
213 sscanf(Cmd
, "%i %i", &offset
, &byte_count
);
214 if(byte_count
== 0) byte_count
= -1;
215 if(byte_count
+ offset
> 1024) byte_count
= 1024 - offset
;
216 UsbCommand c
={CMD_READER_LEGIC_RF
, {offset
, byte_count
, 0}};
219 WaitForResponse(CMD_ACK
,&resp
);
220 switch (resp
.arg
[0]) {
221 legic_card_select_t card
;
223 memcpy(&card
, resp
.d
.asBytes
, sizeof(card
));
224 PrintAndLog("Card (MIM %i) read, use 'hf legic decode' or", card
.cardsize
);
225 PrintAndLog("'data hexsamples %d' to view results", (resp
.arg
[1] + 7) & ~7);
228 PrintAndLog("No or unknown card found, aborting");
231 PrintAndLog("operation failed @ 0x%03.3x", resp
.arg
[1]);
237 int CmdLegicLoad(const char *Cmd
)
239 char filename
[FILE_PATH_SIZE
] = {0x00};
242 if (param_getchar(Cmd
, 0) == 'h' || param_getchar(Cmd
, 0)== 0x00) {
243 PrintAndLog("It loads datasamples from the file `filename`");
244 PrintAndLog("Usage: hf legic load <file name>");
245 PrintAndLog(" sample: hf legic load filename");
250 if (len
> FILE_PATH_SIZE
) {
251 PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len
, FILE_PATH_SIZE
);
254 memcpy(filename
, Cmd
, len
);
256 FILE *f
= fopen(filename
, "r");
258 PrintAndLog("couldn't open '%s'", Cmd
);
261 char line
[80]; int offset
= 0; unsigned int data
[8];
262 while (fgets(line
, sizeof(line
), f
)) {
263 int res
= sscanf(line
, "%x %x %x %x %x %x %x %x",
264 &data
[0], &data
[1], &data
[2], &data
[3],
265 &data
[4], &data
[5], &data
[6], &data
[7]);
267 PrintAndLog("Error: could not read samples");
271 UsbCommand c
={CMD_DOWNLOADED_SIM_SAMPLES_125K
, {offset
, 1, 0}};
272 int j
; for(j
= 0; j
< 8; j
++) {
273 c
.d
.asBytes
[j
] = data
[j
];
276 WaitForResponse(CMD_ACK
, NULL
);
280 PrintAndLog("loaded %u samples", offset
);
284 int CmdLegicSave(const char *Cmd
)
286 int requested
= 1024;
289 char filename
[FILE_PATH_SIZE
];
292 sscanf(Cmd
, " %s %i %i", filename
, &requested
, &offset
);
294 /* If no length given save entire legic read buffer */
295 /* round up to nearest 8 bytes so the saved data can be used with legicload */
296 if (requested
== 0) {
299 if (requested
% 8 != 0) {
300 int remainder
= requested
% 8;
301 requested
= requested
+ 8 - remainder
;
303 if (offset
+ requested
> sizeof(got
)) {
304 PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
308 FILE *f
= fopen(filename
, "w");
310 PrintAndLog("couldn't open '%s'", Cmd
+1);
314 GetFromBigBuf(got
, requested
, offset
, NULL
, -1, false);
316 for (int j
= 0; j
< requested
; j
+= 8) {
317 fprintf(f
, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
328 if (delivered
>= requested
)
333 PrintAndLog("saved %u samples", delivered
);
337 int CmdLegicRfSim(const char *Cmd
)
339 UsbCommand c
={CMD_SIMULATE_TAG_LEGIC_RF
};
341 sscanf(Cmd
, " %" SCNi64
, &c
.arg
[0]);
346 int CmdLegicRfWrite(const char *Cmd
)
348 UsbCommand c
={CMD_WRITER_LEGIC_RF
};
349 int res
= sscanf(Cmd
, " 0x%" SCNx64
" 0x%" SCNx64
, &c
.arg
[0], &c
.arg
[1]);
351 PrintAndLog("Please specify the offset and length as two hex strings");
358 int CmdLegicRfFill(const char *Cmd
)
360 UsbCommand cmd
={CMD_WRITER_LEGIC_RF
};
361 int res
= sscanf(Cmd
, " 0x%" SCNx64
" 0x%" SCNx64
" 0x%" SCNx64
, &cmd
.arg
[0], &cmd
.arg
[1], &cmd
.arg
[2]);
363 PrintAndLog("Please specify the offset, length and value as two hex strings");
368 UsbCommand c
={CMD_DOWNLOADED_SIM_SAMPLES_125K
, {0, 1, 0}};
369 for (i
= 0; i
< 48; i
++) {
370 c
.d
.asBytes
[i
] = cmd
.arg
[2];
372 for (i
= 0; i
< 22; i
++) {
375 WaitForResponse(CMD_ACK
,NULL
);