]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhflegic.c
Andreas fix for LEGIC MIM1024
[proxmark3-svn] / client / cmdhflegic.c
1 #include <stdio.h>
2 #include <string.h>
3 #include "proxusb.h"
4 #include "data.h"
5 #include "ui.h"
6 #include "cmdparser.h"
7 #include "cmdhflegic.h"
8 #include "cmdmain.h"
9
10 static int CmdHelp(const char *Cmd);
11
12 static command_t CommandTable[] =
13 {
14 {"help", CmdHelp, 1, "This help"},
15 {"decode", CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
16 {"reader", CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
17 {NULL, NULL, 0, NULL}
18 };
19
20 int CmdHFLegic(const char *Cmd)
21 {
22 CmdsParse(CommandTable, Cmd);
23 return 0;
24 }
25
26 int CmdHelp(const char *Cmd)
27 {
28 CmdsHelp(CommandTable);
29 return 0;
30 }
31
32 /*
33 * Output BigBuf and deobfuscate LEGIC RF tag data.
34 * This is based on information given in the talk held
35 * by Henryk Ploetz and Karsten Nohl at 26c3
36 */
37 int CmdLegicDecode(const char *Cmd)
38 {
39 int h, i, j, k, n;
40 int segment_len = 0;
41 int segment_flag = 0;
42 int stamp_len = 0;
43 int crc = 0;
44 int wrp = 0;
45 int wrc = 0;
46 int data_buf[1032]; // receiver buffer
47 char out_string[3076]; // just use big buffer - bad practice
48 char token_type[4];
49 int delivered = 0;
50
51 h = 0;
52
53 // copy data from proxmark into buffer
54 for (i = 0; i < 256; i += 12, h += 48) {
55 UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}};
56 SendCommand(&c);
57 WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K);
58
59 for (j = 0; j < 48; j += 8) {
60 for (k = 0; k < 8; k++) {
61 data_buf[h+j+k] = sample_buf[j+k];
62 }
63 delivered += 8;
64 if (delivered >= 1024)
65 break;
66 }
67 }
68
69 // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
70
71 PrintAndLog("\nCDF: System Area");
72
73 PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
74 data_buf[0],
75 data_buf[1],
76 data_buf[2],
77 data_buf[3],
78 data_buf[4]
79 );
80
81 crc = data_buf[4];
82
83 switch (data_buf[5]&0x7f) {
84 case 0x00 ... 0x2f:
85 strncpy(token_type, "IAM",sizeof(token_type));
86 break;
87 case 0x30 ... 0x6f:
88 strcpy(token_type, "SAM");
89 break;
90 case 0x70 ... 0x7f:
91 strcpy(token_type, "GAM");
92 break;
93 default:
94 strcpy(token_type, "???");
95 break;
96 }
97
98 stamp_len = 0xfc - data_buf[6];
99
100 PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
101 data_buf[5],
102 data_buf[6],
103 token_type,
104 (data_buf[5]&0x80)>>7,
105 stamp_len
106 );
107
108 PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
109 data_buf[7]&0x0f,
110 (data_buf[7]&0x70)>>4,
111 (data_buf[7]&0x80)>>7,
112 data_buf[7],
113 data_buf[8]
114 );
115
116 PrintAndLog("Remaining Header Area");
117
118 PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
119 data_buf[9],
120 data_buf[10],
121 data_buf[11],
122 data_buf[12],
123 data_buf[13],
124 data_buf[14],
125 data_buf[15],
126 data_buf[16],
127 data_buf[17],
128 data_buf[18],
129 data_buf[19],
130 data_buf[20],
131 data_buf[21]
132 );
133
134 PrintAndLog("\nADF: User Area");
135
136 i = 22;
137 for (n=0; n<64; n++) {
138 segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
139 segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
140
141 wrp = (data_buf[i+2]^crc);
142 wrc = ((data_buf[i+3]^crc)&0x70)>>4;
143
144 PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
145 n,
146 data_buf[i]^crc,
147 data_buf[i+1]^crc,
148 data_buf[i+2]^crc,
149 data_buf[i+3]^crc,
150 segment_flag,
151 (segment_flag&0x4)>>2,
152 (segment_flag&0x8)>>3,
153 segment_len,
154 wrp,
155 wrc,
156 ((data_buf[i+3]^crc)&0x80)>>7,
157 (data_buf[i+4]^crc)
158 );
159
160 i+=5;
161
162 if (wrc>0) {
163 PrintAndLog("WRC protected area:");
164 for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
165 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
166 out_string[j+2] = ' ';
167 };
168
169 out_string[j] = '\0';
170
171 PrintAndLog("%s", out_string);
172 }
173
174 if (wrp>wrc) {
175 PrintAndLog("Remaining write protected area:");
176
177 for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
178 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
179 out_string[j+2] = ' ';
180 };
181
182 out_string[j] = '\0';
183
184 PrintAndLog("%s", out_string);
185 if((wrp-wrc) == 8) {
186 sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
187 PrintAndLog("%s", out_string);
188 }
189 }
190
191 PrintAndLog("Remaining segment payload:");
192 for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
193 sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
194 out_string[j+2] = ' ';
195 };
196
197 out_string[j] = '\0';
198
199 PrintAndLog("%s", out_string);
200
201 // end with last segment
202 if (segment_flag & 0x8)
203 return 0;
204 };
205 return 0;
206 }
207
208 int CmdLegicRFRead(const char *Cmd)
209 {
210 int byte_count=0,offset=0;
211 sscanf(Cmd, "%i %i", &offset, &byte_count);
212 if(byte_count == 0) byte_count = -1;
213 if(byte_count + offset > 1024) byte_count = 1024 - offset;
214 UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
215 SendCommand(&c);
216 return 0;
217 }
Impressum, Datenschutz