return 0;
}
+int usage_legic_read(void){
+ PrintAndLog("Read data from a legic tag.");
+ PrintAndLog("Usage: hf legic read <offset> <num of bytes>");
+ PrintAndLog("Options :");
+ PrintAndLog(" <offset> : offset in data array to start download from");
+ PrintAndLog(" <num of bytes> : number of bytes to download");
+ PrintAndLog("");
+ PrintAndLog(" sample: hf legic read");
+ return 0;
+}
+
/*
* Output BigBuf and deobfuscate LEGIC RF tag data.
- * This is based on information given in the talk held
+ * This is based on information given in the talk held
* by Henryk Ploetz and Karsten Nohl at 26c3
*/
int CmdLegicDecode(const char *Cmd) {
- int i, k, n;
+ // Index for the bytearray.
+ int i = 0;
+ int k = 0, segmentNum;
int segment_len = 0;
int segment_flag = 0;
uint8_t stamp_len = 0;
int crc = 0;
int wrp = 0;
int wrc = 0;
- uint8_t data_buf[1200]; // receiver buffer
- //char out_string[3076]; // just use big buffer - bad practice
+ uint8_t data_buf[1024]; // receiver buffer, should be 1024..
char token_type[4];
- // copy data from proxmark into buffer
- GetFromBigBuf(data_buf,sizeof(data_buf),0);
- WaitForResponse(CMD_ACK,NULL);
-
+ // download EML memory, where the "legic read" command puts the data.
+ GetEMLFromBigBuf(data_buf, sizeof(data_buf), 0);
+ if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
+ PrintAndLog("Command execute timeout");
+ return 1;
+ }
+
// Output CDF System area (9 bytes) plus remaining header area (12 bytes)
crc = data_buf[4];
uint32_t calc_crc = CRC8Legic(data_buf, 4);
PrintAndLog("\nCDF: System Area");
-
+ PrintAndLog("------------------------------------------------------");
PrintAndLog("MCD: %02x, MSN: %02x %02x %02x, MCC: %02x %s",
data_buf[0],
data_buf[1],
(calc_crc == crc) ? "OK":"Fail"
);
- switch (data_buf[5]&0x7f) {
+ switch (data_buf[5] & 0x7f) {
case 0x00 ... 0x2f:
strncpy(token_type, "IAM",sizeof(token_type));
break;
case 0x30 ... 0x6f:
- strcpy(token_type, "SAM");
+ strncpy(token_type, "SAM",sizeof(token_type));
break;
case 0x70 ... 0x7f:
- strcpy(token_type, "GAM");
+ strncpy(token_type, "GAM",sizeof(token_type));
break;
default:
- strcpy(token_type, "???");
+ strncpy(token_type, "???",sizeof(token_type));
break;
}
stamp_len = 0xfc - data_buf[6];
- PrintAndLog("DCF: %02x %02x, Token_Type=%s (OLE=%01u), Stamp_len=%02u",
+ PrintAndLog("DCF: %02x %02x, Token Type=%s (OLE=%01u), Stamp len=%02u",
data_buf[5],
data_buf[6],
token_type,
PrintAndLog("Remaining Header Area");
PrintAndLog("%s", sprint_hex(data_buf+9, 13));
- PrintAndLog("\nADF: User Area");
-
- i = 22;
+
uint8_t segCrcBytes[8] = {0x00};
uint32_t segCalcCRC = 0;
uint32_t segCRC = 0;
+
+ // see if user area is xored or just zeros.
+ int numOfZeros = 0;
+ for (int index=22; index < 256; ++index){
+ if ( data_buf[index] == 0x00 )
+ ++numOfZeros;
+ }
+ // if possible zeros is less then 60%, lets assume data is xored
+ // 256 - 22 (header) = 234
+ // 1024 - 22 (header) = 1002
+ int isXored = (numOfZeros*100/stamp_len) < 50;
+ PrintAndLog("is data xored? %d ( %d %)", isXored, (numOfZeros*100/stamp_len));
+
+ print_hex_break( data_buf, 33, 16);
+
+ return 0;
- for ( n=0; n<64; n++ ) {
+ PrintAndLog("\nADF: User Area");
+ PrintAndLog("------------------------------------------------------");
+ i = 22;
+ // 64 potential segements
+ // how to detect there is no segments?!?
+ for ( segmentNum=0; segmentNum<64; segmentNum++ ) {
segment_len = ((data_buf[i+1]^crc)&0x0f) * 256 + (data_buf[i]^crc);
segment_flag = ((data_buf[i+1]^crc)&0xf0)>>4;
wrp = (data_buf[i+2]^crc);
wrc = ((data_buf[i+3]^crc)&0x70)>>4;
- /* validate segment-crc */
- segCRC = data_buf[i+4]^crc;
+ bool hasWRC = (wrc > 0);
+ bool hasWRP = (wrp > wrc);
+ int wrp_len = (wrp - wrc);
+ int remain_seg_payload_len = (segment_len - wrp - 5);
- segCrcBytes[0]=data_buf[0]; //uid0
- segCrcBytes[1]=data_buf[1]; //uid1
- segCrcBytes[2]=data_buf[2]; //uid2
- segCrcBytes[3]=data_buf[3]; //uid3
- segCrcBytes[4]=(data_buf[i]^crc); //hdr0
+ // validate segment-crc
+ segCrcBytes[0]=data_buf[0]; //uid0
+ segCrcBytes[1]=data_buf[1]; //uid1
+ segCrcBytes[2]=data_buf[2]; //uid2
+ segCrcBytes[3]=data_buf[3]; //uid3
+ segCrcBytes[4]=(data_buf[i]^crc); //hdr0
segCrcBytes[5]=(data_buf[i+1]^crc); //hdr1
segCrcBytes[6]=(data_buf[i+2]^crc); //hdr2
segCrcBytes[7]=(data_buf[i+3]^crc); //hdr3
+
segCalcCRC = CRC8Legic(segCrcBytes, 8);
+ segCRC = data_buf[i+4]^crc;
- PrintAndLog("Segment %02u: raw header=%02x %02x %02x %02x, flag=%01x (valid=%01u, last=%01u), len=%04u, WRP=%02u, WRC=%02u, RD=%01u, CRC=%02x (%s)",
- n,
+ PrintAndLog("Segment %02u \nraw header | 0x%02X 0x%02X 0x%02X 0x%02X \nSegment len: %u, Flag: 0x%X (valid:%01u, last:%01u), WRP: %02u, WRC: %02u, RD: %01u, CRC: 0x%02X (%s)",
+ segmentNum,
data_buf[i]^crc,
data_buf[i+1]^crc,
data_buf[i+2]^crc,
data_buf[i+3]^crc,
+ segment_len,
segment_flag,
- (segment_flag&0x4)>>2,
- (segment_flag&0x8)>>3,
- segment_len,
+ (segment_flag & 0x4) >> 2,
+ (segment_flag & 0x8) >> 3,
wrp,
wrc,
- ((data_buf[i+3]^crc)&0x80)>>7,
+ ((data_buf[i+3]^crc) & 0x80) >> 7,
segCRC,
( segCRC == segCalcCRC ) ? "OK" : "fail"
);
i += 5;
- if ( wrc>0 ) {
- PrintAndLog("WRC protected area:");
-
- for ( k=i; k < wrc; k++)
- data_buf[k] ^= crc;
-
- for ( k=i; k < wrc; k += 8)
- PrintAndLog("%s", sprint_hex( data_buf+k, 8) );
+ if ( hasWRC ) {
+ PrintAndLog("WRC protected area: (I %d | K %d| WRC %d)", i, k, wrc);
+ PrintAndLog("\nrow | data");
+ PrintAndLog("-----+------------------------------------------------");
+ // de-xor? if not zero, assume it needs xoring.
+ if ( isXored) {
+ for ( k=i; k < wrc; ++k)
+ data_buf[k] ^= crc;
+ }
+ print_hex_break( data_buf+i, wrc, 16);
i += wrc;
}
- if ( wrp>wrc ) {
- PrintAndLog("Remaining write protected area:");
+ if ( hasWRP ) {
+ PrintAndLog("Remaining write protected area: (I %d | K %d | WRC %d | WRP %d WRP_LEN %d)",i, k, wrc, wrp, wrp_len);
+ PrintAndLog("\nrow | data");
+ PrintAndLog("-----+------------------------------------------------");
- if ( data_buf[k] > 0) {
- for (k=i; k < (wrp-wrc); k++)
+ if (isXored) {
+ for (k=i; k < wrp_len; ++k)
data_buf[k] ^= crc;
}
- for (k=i; k < (wrp-wrc); k++)
- PrintAndLog("%s", sprint_hex( data_buf+k, 16) );
-
- i += (wrp-wrc);
+ print_hex_break( data_buf+i, wrp_len, 16);
- if( (wrp-wrc) == 8 )
+ i += wrp_len;
+
+ // does this one work?
+ if( wrp_len == 8 )
PrintAndLog("Card ID: %2X%02X%02X", data_buf[i-4]^crc, data_buf[i-3]^crc, data_buf[i-2]^crc);
}
- PrintAndLog("Remaining segment payload:");
-
- if ( data_buf[k] > 0 ) {
- for ( k=i; k < (segment_len - wrp - 5); k++)
+ PrintAndLog("Remaining segment payload: (I %d | K %d | Remain LEN %d)", i, k, remain_seg_payload_len);
+ PrintAndLog("\nrow | data");
+ PrintAndLog("-----+------------------------------------------------");
+ if ( isXored ) {
+ for ( k=i; k < remain_seg_payload_len; ++k)
data_buf[k] ^= crc;
}
- for ( k=i; k < (segment_len - wrp - 5); k++)
- PrintAndLog("%s", sprint_hex( data_buf+k, 16) );
+ print_hex_break( data_buf+i, remain_seg_payload_len, 16);
+ i += remain_seg_payload_len;
+
+ PrintAndLog("-----+------------------------------------------------\n");
+
// end with last segment
if (segment_flag & 0x8) return 0;
}
int CmdLegicRFRead(const char *Cmd) {
+
+ // params:
+ // offset in data
+ // number of bytes.
+ char cmdp = param_getchar(Cmd, 0);
+ if ( cmdp == 'H' || cmdp == 'h' ) return usage_legic_read();
+
int byte_count=0, offset=0;
sscanf(Cmd, "%i %i", &offset, &byte_count);
if(byte_count == 0) byte_count = -1;
memcpy(c.d.asBytes, data, sizeof(data));
clearCommandBuffer();
SendCommand(&c);
- WaitForResponse(CMD_ACK, NULL);
-
+ if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){
+ PrintAndLog("Command execute timeout");
+ fclose(f);
+ return 1;
+ }
offset += index;
totalbytes += index;
index = 0;
memcpy(c.d.asBytes, data, 8);
clearCommandBuffer();
SendCommand(&c);
- WaitForResponse(CMD_ACK, NULL);
+ if ( !WaitForResponseTimeout(CMD_ACK, NULL, 1500)){
+ PrintAndLog("Command execute timeout");
+ return 1;
+ }
totalbytes += index;
}
return 0;
}
+ GetFromBigBuf(got, requested, offset);
+ if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000)){
+ PrintAndLog("Command execute timeout");
+ return 1;
+ }
+
FILE *f = fopen(filename, "w");
if(!f) {
PrintAndLog("couldn't open '%s'", Cmd+1);
return -1;
}
-
- GetFromBigBuf(got,requested,offset);
- WaitForResponse(CMD_ACK,NULL);
-
+
for (int j = 0; j < requested; j += 8) {
fprintf(f, "%02x %02x %02x %02x %02x %02x %02x %02x\n",
got[j+0], got[j+1], got[j+2], got[j+3],
return 0;
}
+//TODO: write a help text (iceman)
int CmdLegicRfSim(const char *Cmd) {
UsbCommand c = {CMD_SIMULATE_TAG_LEGIC_RF, {6,3,0}};
sscanf(Cmd, " %"lli" %"lli" %"lli, &c.arg[0], &c.arg[1], &c.arg[2]);
return 0;
}
+//TODO: write a help text (iceman)
int CmdLegicRfWrite(const char *Cmd) {
UsbCommand c = {CMD_WRITER_LEGIC_RF};
int res = sscanf(Cmd, " 0x%"llx" 0x%"llx, &c.arg[0], &c.arg[1]);
int CmdLegicCalcCrc8(const char *Cmd){
int len = strlen(Cmd);
- if (len & 1 ) return usage_legic_calccrc8();
+ if ( len & 1 ) return usage_legic_calccrc8();
- uint8_t *data = malloc(len);
+ // add 1 for null terminator.
+ uint8_t *data = malloc(len+1);
if ( data == NULL ) return 1;
- param_gethex(Cmd, 0, data, len );
+ if (param_gethex(Cmd, 0, data, len )) {
+ free(data);
+ return usage_legic_calccrc8();
+ }
uint32_t checksum = CRC8Legic(data, len/2);
PrintAndLog("Bytes: %s || CRC8: %X", sprint_hex(data, len/2), checksum );
projects / proxmark3-svn / blobdiff