cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhflegic.c

   1 //-----------------------------------------------------------------------------
   2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
   3 //
   4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
   5 // at your option, any later version. See the LICENSE.txt file for the text of
   6 // the license.
   7 //-----------------------------------------------------------------------------
   8 // High frequency Legic commands
   9 //-----------------------------------------------------------------------------
  10
  11 #include "cmdhflegic.h"
  12
  13 #include <stdio.h>
  14 #include <string.h>
  15 #include <inttypes.h>
  16 #include "comms.h"
  17 #include "ui.h"
  18 #include "cmdparser.h"
  19 #include "cmdmain.h"
  20 #include "util.h"
  21 #include "../include/legic.h"
  22
  23 static int CmdHelp(const char *Cmd);
  24
  25 static command_t CommandTable[] =
  26 {
  27   {"help",        CmdHelp,        1, "This help"},
  28   {"decode",      CmdLegicDecode, 0, "Display deobfuscated and decoded LEGIC RF tag data (use after hf legic reader)"},
  29   {"reader",      CmdLegicRFRead, 0, "[offset [length]] -- read bytes from a LEGIC card"},
  30   {"save",        CmdLegicSave,   0, "<filename> [<length>] -- Store samples"},
  31   {"load",        CmdLegicLoad,   0, "<filename> -- Restore samples"},
  32   {"sim",         CmdLegicRfSim,  0, "[tagtype, 0:MIM22, 1:MIM256, 2:MIM1024] Start tag simulator (use after load or read)"},
  33   {"write",       CmdLegicRfWrite,0, "<offset> <length> -- Write sample buffer (user after load or read)"},
  34   {"fill",        CmdLegicRfFill, 0, "<offset> <length> <value> -- Fill/Write tag with constant value"},
  35   {NULL, NULL, 0, NULL}
  36 };
  37
  38 int CmdHFLegic(const char *Cmd)
  39 {
  40   CmdsParse(CommandTable, Cmd);
  41   return 0;
  42 }
  43
  44 int CmdHelp(const char *Cmd)
  45 {
  46   CmdsHelp(CommandTable);
  47   return 0;
  48 }
  49
  50 /*
  51  *  Output BigBuf and deobfuscate LEGIC RF tag data.
  52  *   This is based on information given in the talk held
  53  *  by Henryk Ploetz and Karsten Nohl at 26c3
  54  */
  55 int CmdLegicDecode(const char *Cmd)
  56 {
  57   int i, j, k, n;
  58   int segment_len = 0;
  59   int segment_flag = 0;
  60   int stamp_len = 0;
  61   int crc = 0;
  62   int wrp = 0;
  63   int wrc = 0;
  64   uint8_t data_buf[1053]; // receiver buffer
  65   char out_string[3076]; // just use big buffer - bad practice
  66   char token_type[4];
  67
  68   // copy data from proxmark into buffer
  69    GetFromBigBuf(data_buf, sizeof(data_buf), 0, NULL, -1, false);
  70
  71   // Output CDF System area (9 bytes) plus remaining header area (12 bytes)
  72
  73   PrintAndLog("\nCDF: System Area");
  74
  75   PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x",
  76     data_buf[0],
  77     data_buf[1],
  78     data_buf[2],
  79     data_buf[3],
  80     data_buf[4]
  81   );
  82
  83   crc = data_buf[4];
  84
  85   switch (data_buf[5]&0x7f) {
  86     case 0x00 ... 0x2f:
  87       strncpy(token_type, "IAM",sizeof(token_type));
  88       break;
  89     case 0x30 ... 0x6f:
  90       strcpy(token_type, "SAM");
  91       break;
  92     case 0x70 ... 0x7f:
  93       strcpy(token_type, "GAM");
  94       break;
  95     default:
  96       strcpy(token_type, "???");
  97       break;
  98   }
  99
 100   stamp_len = 0xfc - data_buf[6];
 101
 102   PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
 103     data_buf[5],
 104     data_buf[6],
 105     token_type,
 106     (data_buf[5]&0x80)>>7,
 107     stamp_len
 108   );
 109
 110   PrintAndLog("WRP=%02u, WRC=%01u, RD=%01u, raw=%02x, SSC=%02x",
 111     data_buf[7]&0x0f,
 112     (data_buf[7]&0x70)>>4,
 113     (data_buf[7]&0x80)>>7,
 114     data_buf[7],
 115     data_buf[8]
 116   );
 117
 118   PrintAndLog("Remaining Header Area");
 119
 120   PrintAndLog("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
 121       data_buf[9],
 122     data_buf[10],
 123     data_buf[11],
 124     data_buf[12],
 125     data_buf[13],
 126     data_buf[14],
 127     data_buf[15],
 128     data_buf[16],
 129     data_buf[17],
 130     data_buf[18],
 131     data_buf[19],
 132     data_buf[20],
 133     data_buf[21]
 134   );
 135
 136   PrintAndLog("\nADF: User Area");
 137
 138   i = 22;
 139   for (n=0; n<64; n++) {
 140     segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
 141     segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
 142
 143     wrp = (data_buf[i+2]^crc);
 144     wrc = ((data_buf[i+3]^crc)&0x70)>>4;
 145
 146      PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x",
 147       n,
 148       data_buf[i]^crc,
 149       data_buf[i+1]^crc,
 150       data_buf[i+2]^crc,
 151       data_buf[i+3]^crc,
 152       segment_flag,
 153       (segment_flag&0x4)>>2,
 154       (segment_flag&0x8)>>3,
 155       segment_len,
 156       wrp,
 157       wrc,
 158       ((data_buf[i+3]^crc)&0x80)>>7,
 159       (data_buf[i+4]^crc)
 160     );
 161
 162     i+=5;
 163
 164     if (wrc>0) {
 165       PrintAndLog("WRC protected area:");
 166       for (k=0, j=0; k < wrc && j<(sizeof(out_string)-3); k++, i++, j += 3) {
 167         sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
 168         out_string[j+2] = ' ';
 169       };
 170
 171       out_string[j] = '\0';
 172
 173       PrintAndLog("%s", out_string);
 174     }
 175
 176     if (wrp>wrc) {
 177       PrintAndLog("Remaining write protected area:");
 178
 179       for (k=0, j=0; k < (wrp-wrc) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
 180         sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
 181         out_string[j+2] = ' ';
 182       };
 183
 184       out_string[j] = '\0';
 185
 186       PrintAndLog("%s", out_string);
 187       if((wrp-wrc) == 8) {
 188         sprintf(out_string,"Card ID: %2X%02X%02X",data_buf[i-4]^crc,data_buf[i-3]^crc,data_buf[i-2]^crc);
 189         PrintAndLog("%s", out_string);
 190       }
 191     }
 192
 193     PrintAndLog("Remaining segment payload:");
 194     for (k=0, j=0; k < (segment_len - wrp - 5) && j<(sizeof(out_string)-3); k++, i++, j += 3) {
 195       sprintf(&out_string[j], "%02x", (data_buf[i]^crc));
 196       out_string[j+2] = ' ';
 197     };
 198
 199     out_string[j] = '\0';
 200
 201     PrintAndLog("%s", out_string);
 202
 203     // end with last segment
 204     if (segment_flag & 0x8)
 205       return 0;
 206   };
 207   return 0;
 208 }
 209
 210 int CmdLegicRFRead(const char *Cmd)
 211 {
 212   int byte_count=0,offset=0;
 213   sscanf(Cmd, "%i %i", &offset, &byte_count);
 214   if(byte_count == 0) byte_count = -1;
 215   if(byte_count + offset > 1024) byte_count = 1024 - offset;
 216   UsbCommand c={CMD_READER_LEGIC_RF, {offset, byte_count, 0}};
 217   SendCommand(&c);
 218   UsbCommand resp;
 219   WaitForResponse(CMD_ACK,&resp);
 220   switch (resp.arg[0]) {
 221     case 0:
 222       PrintAndLog("Card (MIM %i) read, use 'hf legic decode' or", ((legic_card_select_t*)resp.d.asBytes)->cardsize);
 223       PrintAndLog("'data hexsamples %d' to view results", (resp.arg[1] + 7) & ~7);
 224       break;
 225     case 1:
 226       PrintAndLog("No or unknown card found, aborting");
 227       break;
 228     case 2:
 229       PrintAndLog("operation failed @ 0x%03.3x", resp.arg[1]);
 230       break;
 231   }
 232   return resp.arg[0];
 233 }
 234
 235 int CmdLegicLoad(const char *Cmd)
 236 {
 237         char filename[FILE_PATH_SIZE] = {0x00};
 238         int len = 0;
 239
 240         if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
 241                 PrintAndLog("It loads datasamples from the file `filename`");
 242                 PrintAndLog("Usage:  hf legic load <file name>");
 243                 PrintAndLog(" sample: hf legic load filename");
 244                 return 0;
 245         }
 246
 247         len = strlen(Cmd);
 248         if (len > FILE_PATH_SIZE) {
 249                 PrintAndLog("Filepath too long (was %s bytes), max allowed is %s ", len, FILE_PATH_SIZE);
 250                 return 0;
 251         }
 252         memcpy(filename, Cmd, len);
 253
 254     FILE *f = fopen(filename, "r");
 255     if(!f) {
 256         PrintAndLog("couldn't open '%s'", Cmd);
 257         return -1;
 258     }
 259     char line[80]; int offset = 0; unsigned int data[8];
 260     while(fgets(line, sizeof(line), f)) {
 261         int res = sscanf(line, "%x %x %x %x %x %x %x %x",
 262             &data[0], &data[1], &data[2], &data[3],
 263             &data[4], &data[5], &data[6], &data[7]);
 264         if(res != 8) {
 265           PrintAndLog("Error: could not read samples");
 266           fclose(f);
 267           return -1;
 268         }
 269         UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {offset, 1, 0}};
 270         int j; for(j = 0; j < 8; j++) {
 271             c.d.asBytes[j] = data[j];
 272         }
 273         SendCommand(&c);
 274         WaitForResponse(CMD_ACK, NULL);
 275         offset += 8;
 276     }
 277     fclose(f);
 278     PrintAndLog("loaded %u samples", offset);
 279     return 0;
 280 }
 281
 282 int CmdLegicSave(const char *Cmd)
 283 {
 284   int requested = 1024;
 285   int offset = 0;
 286   int delivered = 0;
 287   char filename[FILE_PATH_SIZE];
 288   uint8_t got[1024];
 289
 290   sscanf(Cmd, " %s %i %i", filename, &requested, &offset);
 291
 292   /* If no length given save entire legic read buffer */
 293   /* round up to nearest 8 bytes so the saved data can be used with legicload */
 294   if (requested == 0) {
 295     requested = 1024;
 296   }
 297   if (requested % 8 != 0) {
 298     int remainder = requested % 8;
 299     requested = requested + 8 - remainder;
 300   }
 301   if (offset + requested > sizeof(got)) {
 302     PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
 303     return 0;
 304   }
 305
 306   FILE *f = fopen(filename, "w");
 307   if(!f) {
 308     PrintAndLog("couldn't open '%s'", Cmd+1);
 309     return -1;
 310   }
 311
 312   GetFromBigBuf(got, requested, offset, NULL, -1, false);
 313
 314   for (int j = 0; j < requested; j += 8) {
 315     fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
 316       got[j+0],
 317       got[j+1],
 318       got[j+2],
 319       got[j+3],
 320       got[j+4],
 321       got[j+5],
 322       got[j+6],
 323       got[j+7]
 324     );
 325     delivered += 8;
 326     if (delivered >= requested)
 327       break;
 328   }
 329
 330   fclose(f);
 331   PrintAndLog("saved %u samples", delivered);
 332   return 0;
 333 }
 334
 335 int CmdLegicRfSim(const char *Cmd)
 336 {
 337    UsbCommand c={CMD_SIMULATE_TAG_LEGIC_RF};
 338    c.arg[0] = 1;
 339    sscanf(Cmd, " %" SCNi64, &c.arg[0]);
 340    SendCommand(&c);
 341    return 0;
 342 }
 343
 344 int CmdLegicRfWrite(const char *Cmd)
 345 {
 346     UsbCommand c={CMD_WRITER_LEGIC_RF};
 347     int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64, &c.arg[0], &c.arg[1]);
 348         if(res != 2) {
 349                 PrintAndLog("Please specify the offset and length as two hex strings");
 350         return -1;
 351     }
 352     SendCommand(&c);
 353     return 0;
 354 }
 355
 356 int CmdLegicRfFill(const char *Cmd)
 357 {
 358     UsbCommand cmd ={CMD_WRITER_LEGIC_RF};
 359     int res = sscanf(Cmd, " 0x%" SCNx64 " 0x%" SCNx64 " 0x%" SCNx64, &cmd.arg[0], &cmd.arg[1], &cmd.arg[2]);
 360     if(res != 3) {
 361         PrintAndLog("Please specify the offset, length and value as two hex strings");
 362         return -1;
 363     }
 364
 365     int i;
 366     UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {0, 1, 0}};
 367     for(i = 0; i < 48; i++) {
 368       c.d.asBytes[i] = cmd.arg[2];
 369     }
 370     for(i = 0; i < 22; i++) {
 371       c.arg[0] = i*48;
 372       SendCommand(&c);
 373       WaitForResponse(CMD_ACK,NULL);
 374     }
 375     SendCommand(&cmd);
 376     return 0;
 377  }
 378