| blob | 757d65fa0a1b5691c0df5ea0c9c83becc5313a82 |
6 --[[
7 script to create a clone-dump with new crc
8 Author: mosci
9 my Fork: https://github.com/icsom/proxmark3.git
11 1. read tag-dump, xor byte 22..end with byte 0x05 of the inputfile
12 2. write to outfile
13 3. set byte 0x05 to newcrc
14 4. until byte 0x21 plain like in inputfile
15 5. from 0x22..end xored with newcrc
16 6. calculate new crc on each segment (needs to know the new MCD & MSN0..2)
18 simplest usage:
19 Dump a legic tag with 'hf legic dump'
20 place your 'empty' tag on the reader and run
21 'script run hf_legic_clone -i orig.bin -w'
23 you will see some output like:
25 read 1024 bytes from orig.bin
27 place your empty tag onto the PM3 to read and display the MCD & MSN0..2
28 the values will be shown below
29 confirm when ready [y/n] ?y
31 0b ad c0 de <- !! here you'll see the MCD & MSN of your empty tag, which has to be typed in manually as seen below !!
32 type in MCD as 2-digit value - e.g.: 00 (default: 79 )
33 > 0b
34 type in MSN0 as 2-digit value - e.g.: 01 (default: 28 )
35 > ad
36 type in MSN1 as 2-digit value - e.g.: 02 (default: d1 )
37 > c0
38 type in MSN2 as 2-digit value - e.g.: 03 (default: 43 )
39 > de
40 MCD:0b, MSN:ad c0 de, MCC:79 <- this crc is calculated from the MCD & MSN and must match the one on yout empty tag
42 wrote 1024 bytes to myLegicClone.hex
43 enter number of bytes to write? (default: 86 )
45 loaded 1024 samples
46 #db# setting up legic card
47 #db# MIM 256 card found, writing 0x00 - 0x01 ...
48 #db# write successful
49 ...
50 #db# setting up legic card
51 #db# MIM 256 card found, writing 0x56 - 0x01 ...
52 #db# write successful
53 proxmark3>
55 the default value (number of bytes to write) is calculated over all valid segments and should be ok - just hit enter, wait until write has finished
56 and your clone should be ready (except there has to be a additional KGH-CRC to be calculated - which credentials are unknown until yet)
58 the '-w' switch will only work with my fork - it needs the binary legic_crc8 which is not part of the proxmark3-master-branch
59 also the ability to write DCF is not possible with the proxmark3-master-branch
60 but creating dumpfile-clone files will be possible (without valid segment-crc - this has to done manually with)
63 (example) Legic-Prime Layout with 'Kaba Group Header'
64 +----+----+----+----+----+----+----+----+
65 0x00|MCD |MSN0|MSN1|MSN2|MCC | 60 | ea | 9f |
66 +----+----+----+----+----+----+----+----+
67 0x08| ff | 00 | 00 | 00 | 11 |Bck0|Bck1|Bck2|
68 +----+----+----+----+----+----+----+----+
69 0x10|Bck3|Bck4|Bck5|BCC | 00 | 00 |Seg0|Seg1|
70 +----+----+----+----+----+----+----+----+
71 0x18|Seg2|Seg3|SegC|Stp0|Stp1|Stp2|Stp3|UID0|
72 +----+----+----+----+----+----+----+----+
73 0x20|UID1|UID2|kghC|
74 +----+----+----+
76 MCD= ManufacturerID (1 Byte)
77 MSN0..2= ManufactureSerialNumber (3 Byte)
78 MCC= CRC (1 Byte) calculated over MCD,MSN0..2
79 DCF= DecrementalField (2 Byte) 'credential' (enduser-Tag) seems to have always DCF-low=0x60 DCF-high=0xea
80 Bck0..5= Backup (6 Byte) Bck0 'dirty-flag', Bck1..5 SegmentHeader-Backup
81 BCC= BackupCRC (1 Byte) CRC calculated over Bck1..5
82 Seg0..3= SegmentHeader (on MIM 4 Byte )
83 SegC= SegmentCRC (1 Byte) calculated over MCD,MSN0..2,Seg0..3
84 Stp0..n= Stamp0... (variable length) length = Segment-Len - UserData - 1
85 UID0..n= UserDater (variable length - with KGH hex 0x00-0x63 / dec 0-99) length = Segment-Len - WRP - WRC - 1
86 kghC= KabaGroupHeader (1 Byte + addr 0x0c must be 0x11)
87 as seen on this example: addr 0x05..0x08 & 0x0c must have been set to this values - otherwise kghCRC will not be created by a official reader (not accepted)
88 --]]
94 This is a script which creates a clone-dump of a dump from a LEGIC Prime Tag (MIM256 or MIM1024)
95 Create a dump by running `hf legic dump`.
96 ]]
98 script run hf_legic_clone -i my_dump.bin -o my_clone.bin -c f8
99 script run hf_legic_clone -i my_dump.bin -d -s
100 ]]
102 script run hf_legic_clone [-h] [-i <file>] [-o <file>] [-c <crc>] [-d] [-s] [-w]
103 ]]
105 required :
106 -i <input file> - file to read data from, must be in binary format (*.bin)
108 optional :
109 -h - Help text
110 -o <output file> - requires option -c to be given
111 -c <new-tag crc> - requires option -o to be given
112 -d - Display content of found Segments
113 -s - Display summary at the end
114 -w - write directly to tag - a file hf-legic-UID-dump.bin will also be generated
116 e.g.:
117 hint: using the CRC '00' will result in a plain dump ( -c 00 )
118 ]]
121 ---
122 -- This is only meant to be used when errors occur
130 end
131 else
133 end
134 end
135 -- we need always 2 digits
141 else
144 else
145 return s
146 end
147 end
148 end
149 ---
150 -- This is only meant to be used when errors occur
155 end
156 ---
157 -- Usage help
169 end
170 -- read LEGIC data
172 -- Read data
179 }
182 -- result is a packed data structure, data starts at offset 33
183 return result
184 end
186 -- Check availability of file
191 else
193 end
194 return exists
195 end
197 --- xor-wrapper
198 -- xor all from addr 0x22 (start counting from 1 => 23)
202 else
203 return hex
204 end
205 end
207 -- read input-file into array
218 end
221 return bytes
222 end
224 -- write to file
231 end
234 return true
235 end
237 -- xore certain bytes
242 end
244 -- replace crc
246 return bytes
247 else
249 return false
250 end
251 end
253 -- get raw segment-data
258 -- flag = high nibble of byte 1
261 -- valid = bit 6 of byte 1
264 -- last = bit 7 of byte 1
267 -- len = (byte 0)+(bit0-3 of byte 1)
268 segment[4] = tonumber(('%03x'):format(tonumber(bit32.extract('0x'..bytes[start + 1], 0, 3), 16)..tonumber(bytes[start], 16)), 16)
270 -- wrp (write proteted) = byte 2
273 -- wrc (write control) - bit 4-6 of byte 3
276 -- rd (read disabled) - bit 7 of byte 3
279 -- crc byte 4
282 -- segment index
285 -- # crc-byte
287 return segment
288 end
290 --- Kaba Group Header
291 -- checks if a segment does have a kghCRC
292 -- returns boolean false if no kgh has being detected or the kghCRC if a kgh was detected
295 local i
300 --- gather creadentials for verify
308 end
311 return KGH
312 else
313 return false
314 end
315 else
316 return false
317 end
318 end
320 -- get only the addresses of segemnt-crc's and the length of bytes
325 repeat
332 return crcbytes
333 end
335 -- print Segment values
339 res = res.. "flag="..SegmentData[1].." (valid="..SegmentData[2].." last="..SegmentData[3].."), "
346 end
348 -- print segment-data (hf legic info like)
351 --display segment header(s)
355 --repeat until last-flag ist set to 1 or segment-index has reached 126
356 repeat
367 -- wrc
370 -- length of wrc = wrc
372 -- starts at (segment-start + segment-header + segment-crc)-1
374 end
378 -- length of wrp = (wrp-wrc)
380 -- starts at (segment-start + segment-header + segment-crc + wrc)-1
382 end
384 end
386 -- payload
388 --length of payload = segment-len - segment-header - segment-crc - wrp -wrc
390 -- starts at (segment-start + segment-header + segment-crc + segment-wrp + segemnt-wrc)-1
392 end
396 end
401 end
403 -- write clone-data to tag
406 local output
407 local readbytes
408 if (utils.confirm("\nplace your empty tag onto the PM3 to restore the data of the input file\nthe CRCs will be calculated as needed\n confirm when ready") == false) then
409 return
410 end
413 -- gather MCD & MSN from new Tag - this must be enterd manually
416 -- readbytes is a usbcommandOLD package, hence 32 bytes offset until data.
426 -- calculate crc8 over MCD & MSN
429 print("MCD:"..ansicolors.green..MCD..ansicolors.reset..", MSN:"..ansicolors.green..MSN0.." "..MSN1.." "..MSN2..ansicolors.reset..", MCC:"..MCC)
431 -- calculate new Segment-CRC for each valid segment
434 -- SegCrcs[i]-4 = address of first byte of segmentHeader (low byte segment-length)
435 segLen = tonumber(("%1x"):format(tonumber(bit32.extract("0x"..plainBytes[(SegCrcs[i] - 3)], 0, 3), 16))..("%02x"):format(tonumber(plainBytes[SegCrcs[i] - 4], 16)), 16)
441 end
442 cmd = MCD..MSN0..MSN1..MSN2..plainBytes[SegCrcs[i]-4]..plainBytes[SegCrcs[i]-3]..plainBytes[SegCrcs[i]-2]..plainBytes[SegCrcs[i]-1]
444 end
446 -- apply MCD & MSN to plain data
453 -- prepare plainBytes for writing (xor plain data with new MCC)
456 -- write data to file
458 -- write pm3-buffer to Tag
461 end
462 end
464 -- main function
466 -- some variables
472 -- parse arguments for the script
474 -- output file
476 outfile = a
479 local answer = utils.confirm('\nthe output-file '..a..' already exists!\nthis will delete the previous content!\ncontinue?')
481 end
482 end
483 -- input file
485 infile = a
494 end
495 -- new crc
499 end
500 -- display segments switch
502 -- display summary switch
504 -- write to tag switch
506 -- help
508 end
512 -- bytes to plain
515 -- show segments (works only on plain bytes)
517 print("+------------------------------------------- Segments -------------------------------------------+")
519 end
522 -- xor bytes with new crc
524 -- write output
526 -- show summary if requested
528 -- information
529 res = "\n+-------------------------------------------- Summary -------------------------------------------+"
534 res = res .."\n\nif you don't write to tag immediately ('-w' switch) you will need to recalculate each segmentCRC"
539 res = res ..ansicolors.yellow.."hf legic crc -d "..bytes[1]..bytes[2]..bytes[3]..bytes[4]..bytes[23]..bytes[24]..bytes[25]..bytes[26].." --mcc "..newcrc.." -t 8"..ansicolors.reset
540 -- this can not be calculated without knowing the new MCD, MSN0..2
542 end
543 end
544 else
546 -- show why the output-file was not written
550 end
551 end
552 -- write to tag
555 end
556 end
558 -- call main with arguments