From 77e1bab94aa5834882b3e48013035482296df9c9 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 6 Oct 2016 19:34:53 +0200 Subject: [PATCH] REM: "hf legic writeraw" has been removed. FIX: "hf legic eload" uploads now correct to device mem. --- client/cmdhflegic.c | 163 +++++++++++--------------------------------- client/cmdhflegic.h | 1 - 2 files changed, 41 insertions(+), 123 deletions(-) diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c index d544a91c..c2db8682 100644 --- a/client/cmdhflegic.c +++ b/client/cmdhflegic.c @@ -71,19 +71,6 @@ int usage_legic_write(void){ PrintAndLog(" hf legic write 10 4 - writes 0x4 to byte[0x10]"); return 0; } -int usage_legic_rawwrite(void){ - PrintAndLog("Write raw data direct to a specific offset on legic tag."); - PrintAndLog("Usage: hf legic writeraw [h] "); - PrintAndLog("Options:"); - PrintAndLog(" h : this help"); - PrintAndLog(" : offset to write to (hex)"); - PrintAndLog(" : value (hex)"); - PrintAndLog(" : (optional) Initialization vector to use (hex, odd and 7bits)"); - PrintAndLog(""); - PrintAndLog("Samples:"); - PrintAndLog(" hf legic writeraw 10 4 - writes 0x4 to byte[0x10]"); - return 0; -} int usage_legic_reader(void){ PrintAndLog("Read UID and type information from a legic tag."); PrintAndLog("Usage: hf legic reader [h]"); @@ -119,7 +106,6 @@ int usage_legic_dump(void){ PrintAndLog(" hf legic dump o myfile"); return 0; } - int usage_legic_eload(void){ PrintAndLog("It loads binary dump from the file `filename.bin`"); PrintAndLog("Usage: hf legic eload [h] [card memory] "); @@ -152,7 +138,6 @@ int usage_legic_esave(void){ return 0; } - /* * Output BigBuf and deobfuscate LEGIC RF tag data. * This is based on information given in the talk held @@ -447,11 +432,11 @@ int CmdLegicInfo(const char *Cmd) { return 0; } +// params: +// offset in data memory +// number of bytes to read int CmdLegicRdmem(const char *Cmd) { - // params: - // offset in data memory - // number of bytes to read char cmdp = param_getchar(Cmd, 0); if ( cmdp == 'H' || cmdp == 'h' ) return usage_legic_rdmem(); @@ -470,39 +455,39 @@ int CmdLegicRdmem(const char *Cmd) { clearCommandBuffer(); SendCommand(&c); UsbCommand resp; - if (WaitForResponseTimeout(CMD_ACK, &resp, 3000)) { - uint8_t isOK = resp.arg[0] & 0xFF; - uint16_t readlen = resp.arg[1]; - if ( isOK ) { + if ( !WaitForResponseTimeout(CMD_ACK, &resp, 3000) ) { + PrintAndLog("command execution time out"); + return 1; + } - uint8_t *data = malloc(readlen); - if ( !data ){ - PrintAndLog("Cannot allocate memory"); - return 2; - } + uint8_t isOK = resp.arg[0] & 0xFF; + uint16_t readlen = resp.arg[1]; + if ( !isOK ) { + PrintAndLog("failed reading tag"); + return 2; + } + + uint8_t *data = malloc(readlen); + if ( !data ){ + PrintAndLog("Cannot allocate memory"); + return 2; + } - if ( readlen != len ) - PrintAndLog("Fail, only managed to read 0x%02X bytes", readlen); + if ( readlen != len ) + PrintAndLog("Fail, only managed to read 0x%02X bytes", readlen); - // copy data from device - GetEMLFromBigBuf(data, readlen, 0); - if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500)){ - PrintAndLog("Command execute timeout"); - if ( data ) - free(data); - return 1; - } - - PrintAndLog("\n ## | Data"); - PrintAndLog("-----+-----"); - print_hex_break( data, readlen, 32); - } else { - PrintAndLog("failed reading tag"); - } - } else { - PrintAndLog("command execution time out"); + // copy data from device + GetEMLFromBigBuf(data, readlen, 0); + if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500)){ + PrintAndLog("Command execute timeout"); + free(data); return 1; } + + PrintAndLog("\n ## | Data"); + PrintAndLog("-----+-----"); + print_hex_break( data, readlen, 32); + free(data); return 0; } @@ -703,80 +688,17 @@ int CmdLegicRfWrite(const char *Cmd) { } int CmdLegicRfRawWrite(const char *Cmd) { - - char cmdp = param_getchar(Cmd, 0); - if ( cmdp == 'H' || cmdp == 'h' ) return usage_legic_rawwrite(); - - uint32_t offset = 0, data = 0, IV = 0; - char answer; - - int res = sscanf(Cmd, "%x %x %x", &offset, &data, &IV); - if(res < 2) - return usage_legic_rawwrite(); - - // OUT-OF-BOUNDS check - if ( offset > MAX_LENGTH ) { - PrintAndLog("Out-of-bound, offset"); - return 1; - } - - if ( (IV & 0x7F) != IV ){ - IV &= 0x7F; - PrintAndLog("Truncating IV to 7bits"); - } - if ( (IV & 1) == 0 ){ - IV |= 0x01; // IV must be odd - PrintAndLog("LSB of IV must be SET"); - } - - UsbCommand c = { CMD_RAW_WRITER_LEGIC_RF, {offset, data, IV} }; - - if (c.arg[0] == 0x05 || c.arg[0] == 0x06) { - PrintAndLog("############# DANGER !! #############"); - PrintAndLog("# changing the DCF is irreversible #"); - PrintAndLog("#####################################"); - PrintAndLog("do youe really want to continue? y(es) n(o)"); - if (scanf(" %c", &answer) > 0 && (answer == 'y' || answer == 'Y')) { - SendCommand(&c); - return 0; - } - return -1; - } - - clearCommandBuffer(); - SendCommand(&c); + PrintAndLog("############# DANGER !! #############"); + PrintAndLog("# changing the DCF is irreversible #"); + PrintAndLog("#####################################"); + PrintAndLog("do youe really want to continue? y(es) n(o)"); + // if (scanf(" %c", &answer) > 0 && (answer == 'y' || answer == 'Y')) { + // return 0; + // } return 0; } void static calc4(uint8_t *cmd, uint8_t len){ - crc_t crc; - //crc_init_ref(&crc, 4, 0x19 >> 1, 0x5, 0, TRUE, TRUE); - crc_init(&crc, 4, 0x19 >> 1, 0x5, 0); - - crc_clear(&crc); - crc_update(&crc, 1, 1); /* CMD_READ */ - crc_update(&crc, cmd[0], 8); - crc_update(&crc, cmd[1], 8); - printf("crc4 %X\n", reflect(crc_finish(&crc), 4) ) ; - - crc_clear(&crc); - crc_update(&crc, 1, 1); /* CMD_READ */ - crc_update(&crc, cmd[0], 8); - crc_update(&crc, cmd[1], 8); - printf("crc4 %X\n", crc_finish(&crc) ) ; - - printf("---- old ---\n"); - crc_update2(&crc, 1, 1); /* CMD_READ */ - crc_update2(&crc, cmd[0], 8); - crc_update2(&crc, cmd[1], 8); - printf("crc4 %X \n", reflect(crc_finish(&crc), 4) ) ; - - - crc_clear(&crc); - crc_update2(&crc, 1, 1); /* CMD_READ */ - crc_update2(&crc, cmd[0], 8); - crc_update2(&crc, cmd[1], 8); - printf("crc4 %X\n", crc_finish(&crc) ) ; } int CmdLegicCalcCrc8(const char *Cmd){ @@ -912,18 +834,15 @@ void legic_chk_iv(uint32_t *iv){ PrintAndLog("LSB of IV must be SET %u", *iv); } } - void legic_seteml(uint8_t *src, uint32_t offset, uint32_t numofbytes) { - size_t len = 0; UsbCommand c = {CMD_LEGIC_ESET, {0, 0, 0}}; - for(size_t i = 0; i < numofbytes; i += USB_CMD_DATA_SIZE) { len = MIN((numofbytes - i), USB_CMD_DATA_SIZE); c.arg[0] = i; // offset c.arg[1] = len; // number of bytes - memcpy(c.d.asBytes, src, len); + memcpy(c.d.asBytes, src+i, len); clearCommandBuffer(); SendCommand(&c); PrintAndLog("ICE: offset %d | len %d", i, len); @@ -1023,6 +942,7 @@ int CmdLegicDump(const char *Cmd){ PrintAndLog("Fail, cannot allocate memory"); return 3; } + memset(data, 0, readlen); if ( readlen != dumplen ) PrintAndLog("Fail, only managed to read 0x%02X bytes of 0x%02X", readlen, dumplen); @@ -1148,8 +1068,7 @@ int CmdLegicESave(const char *Cmd) { memset(data, 0, numofbytes); // download emulator memory - PrintAndLog("Reading emulator memory..."); - + PrintAndLog("Reading emulator memory..."); GetEMLFromBigBuf(data, numofbytes, 0); if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500)) { PrintAndLog("Fail, transfer from device time-out"); diff --git a/client/cmdhflegic.h b/client/cmdhflegic.h index 1de3d1cb..741766e9 100644 --- a/client/cmdhflegic.h +++ b/client/cmdhflegic.h @@ -50,7 +50,6 @@ int usage_legic_load(void); int usage_legic_rdmem(void); int usage_legic_sim(void); int usage_legic_write(void); -int usage_legic_rawwrite(void); int usage_legic_reader(void); int usage_legic_info(void); int usage_legic_dump(void); -- 2.39.5