In my attempts to make the LEGIC code better, its not working now. Ti…

…mings if off. CHG: switching to US clock. CHG: better trace annotation for legic CHG: Legic prng can now give a x bits in once.
iceman1001 · Sep 9, 2016 · ad5bc8c · ad5bc8c
1 parent 1b12afb
commit ad5bc8c
Show file tree

Hide file tree

Showing 9 changed files with 317 additions and 234 deletions.
diff --git a/armsrc/legicrf.c b/armsrc/legicrf.c
diff --git a/armsrc/legicrf.h b/armsrc/legicrf.h
@@ -18,6 +18,8 @@
 #include "legic_prng.h"	// legic PRNG impl
 #include "crc.h"		// legic crc-4
 
+#define LEGIC_READ 0x01
+#define LEGIC_WRITE 0x00
 
 extern void LegicRfSimulate(int phase, int frame, int reqresp);
 extern int  LegicRfReader(int offset, int bytes, int iv);

diff --git a/client/cmdhf.c b/client/cmdhf.c
@@ -652,7 +652,6 @@ uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *trace, ui
 		uint8_t parityBits = parityBytes[j>>3];
 		if (protocol != ISO_14443B && protocol != ISO_7816_4 &&  (isResponse || protocol == ISO_14443A)  && (oddparity != ((parityBits >> (7-(j&0x0007))) & 0x01))) {
 			snprintf(line[j/16]+(( j % 16) * 4),110, "%02x! ", frame[j]);
-
 		} else {
 			snprintf(line[j/16]+(( j % 16) * 4),110, "%02x  ", frame[j]);
 		}

diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c
@@ -403,9 +403,34 @@ int CmdLegicRFRead(const char *Cmd) {
 	}
 	PrintAndLog("Current IV: 0x%02x", IV);
 
-	UsbCommand c= {CMD_READER_LEGIC_RF, {offset, len, IV}};
+	// get some  prng bytes from 
+	uint8_t temp[12];
+	legic_prng_init(IV);
+	for ( uint8_t j = 0; j < sizeof(temp); ++j)
+		temp[j] = legic_prng_get_bits(8);
+
+	PrintAndLog("PRNG: %s", sprint_hex(temp, sizeof(temp)));
+
+	UsbCommand c = {CMD_READER_LEGIC_RF, {offset, len, IV}};
 	clearCommandBuffer();
 	SendCommand(&c);
+	UsbCommand resp;
+	if (WaitForResponseTimeout(CMD_ACK, &resp, 2000)) {
+		uint8_t isOK = resp.arg[0] & 0xFF;
+		uint16_t len = resp.arg[1] & 0x3FF;
+		if ( isOK ) {
+			PrintAndLog("OK : %d", isOK);
+			PrintAndLog("use 'hf legic decode' or");
+			PrintAndLog("'data hexsamples %d' to view results", len);	
+		}
+	} else {
+		PrintAndLog("command execution time out");
+		return 1;
+	}
+
+	//uint8_t got[12000];
+	//GetFromBigBuf(got,sizeof(got),0);
+	//WaitForResponse(CMD_ACK,NULL);
 	return 0;
 }
 

diff --git a/client/cmdhflegic.h b/client/cmdhflegic.h
@@ -20,6 +20,7 @@
 #include "cmdmain.h"
 #include "util.h"
 #include "crc.h"
+#include "legic_prng.h"
 
 int CmdHFLegic(const char *Cmd);
 

diff --git a/client/proxmark3.c b/client/proxmark3.c
@@ -54,17 +54,27 @@ void SendCommand(UsbCommand *c) {
 }
 
 struct receiver_arg {
-  int run;
+	int run;
 };
 
 struct main_loop_arg {
-  int usb_present;
-  char *script_cmds_file;
+	int usb_present;
+	char *script_cmds_file;
 };
 
 byte_t rx[0x1000000];
 byte_t* prx = rx;
 
+// static void showBanner(void){
+	// printf("██████╗ ███╗   ███╗ ████╗     ...Iceman fork\n");
+	// printf("██╔══██╗████╗ ████║   ══█║\n");
+	// printf("██████╔╝██╔████╔██║ ████╔╝\n");
+	// printf("██╔═══╝ ██║╚██╔╝██║   ══█║    [email protected]\n");
+	// printf("██║     ██║ ╚═╝ ██║ ████╔╝ https://github.com/iceman1001/proxmark3\n");
+	// printf("╚═╝     ╚═╝     ╚═╝ ╚═══╝v1.6.4\n");
+// }
+
+
 static void *uart_receiver(void *targ) {
 	struct receiver_arg *arg = (struct receiver_arg*)targ;
 	size_t rxlen;
@@ -105,6 +115,7 @@ static void *main_loop(void *targ) {
 	char *cmd = NULL;
 	pthread_t reader_thread;
 
+
 	if (arg->usb_present == 1) {
 		rarg.run = 1;
 		pthread_create(&reader_thread, NULL, &uart_receiver, &rarg);

diff --git a/common/legic_prng.c b/common/legic_prng.c
@@ -7,22 +7,35 @@
 //-----------------------------------------------------------------------------
 
 #include "legic_prng.h"
-
+// a is 7bit
+// b is 
+// c is a counter
 struct lfsr {
 	uint8_t  a;
 	uint8_t  b;
 	uint32_t c;
 } lfsr;
 
-void legic_prng_init(uint8_t init) {
-	lfsr.a = init;
+// Normal init is set following variables with a random value IV
+// a == iv
+// b == iv << 1 | 1
+// * someone mentioned iv must be ODD.
+// Hack:
+// Now we have a special case with iv == 0
+// it sets b to 0 aswell to make sure we get a all zero keystream out
+// which is used in the initialisation phase sending the IV
+// 
+void legic_prng_init(uint8_t iv) {
+	lfsr.a = iv;
 	lfsr.b = 0;  // hack to get a always 0 keystream 
 	lfsr.c = 0;
-	if(init)
-		lfsr.b = (init << 1) | 1;
+	if(iv)
+		lfsr.b = (iv << 1) | 1;
 }
 
 void legic_prng_forward(int count) {
+	if (count == 0) return;
+
 	lfsr.c += count;
 	while(count--) {
 		// According: http://www.proxmark.org/forum/viewtopic.php?pid=5437#p5437
@@ -38,4 +51,13 @@ uint32_t legic_prng_count() {
 uint8_t legic_prng_get_bit() {
 	uint8_t idx = 7 - ( (lfsr.a & 4) | (lfsr.a >> 2 & 2) | (lfsr.a >> 4 & 1) );
 	return lfsr.b >> idx & 1;
+}
+
+uint32_t legic_prng_get_bits(uint8_t len){
+	uint32_t a = 0;
+	for(uint8_t i = 0; i < len; ++i) {
+		a |= legic_prng_get_bit() << i;
+		legic_prng_forward(1);
+	}
+	return a;
 }
diff --git a/common/protocols.h b/common/protocols.h
@@ -326,9 +326,10 @@ ISO 7816-4 Basic interindustry commands. For command APDU's.
 #define     MFDES_AUTHENTICATION_FRAME 		 0xAF
 
 // LEGIC Commands
-#define 	LEGIC_HSK	0x39
-#define		LEGIC_READ	0x01
-#define 	LEGIC_WRITE	0x00
+#define 	LEGIC_HSK_22	0x19
+#define 	LEGIC_HSK_256	0x39
+#define		LEGIC_READ		0x01
+#define 	LEGIC_WRITE		0x00
 
 void printIclassDumpInfo(uint8_t* iclass_dump);
 void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t *app_areas, uint8_t *kb);

diff --git a/include/legic_prng.h b/include/legic_prng.h
@@ -14,5 +14,6 @@ extern void legic_prng_init(uint8_t init);
 extern void legic_prng_forward(int count);
 extern uint32_t legic_prng_count();
 extern uint8_t legic_prng_get_bit();
+extern uint32_t legic_prng_get_bits(uint8_t len);
 #endif