In my attempts to make the LEGIC code better, its not working now. Timings if off.

CHG: switching to US clock. CHG: better trace annotation for legic CHG: Legic prng can now give a x bits in once.
2025-08-14 02:27:26 -07:00 · 2016-09-09 11:56:20 +02:00 · 2016-09-09 11:56:20 +02:00 · ad5bc8cc8c
commit ad5bc8cc8c
parent 1b12afbd9f
9 changed files with 318 additions and 235 deletions
--- a/common/legic_prng.c
+++ b/common/legic_prng.c
@ -7,22 +7,35 @@
 //-----------------------------------------------------------------------------

 #include "legic_prng.h"
-
+// a is 7bit
+// b is 
+// c is a counter
 struct lfsr {
 	uint8_t  a;
 	uint8_t  b;
 	uint32_t c;
 } lfsr;

-void legic_prng_init(uint8_t init) {
-	lfsr.a = init;
+// Normal init is set following variables with a random value IV
+// a == iv
+// b == iv << 1 | 1
+// * someone mentioned iv must be ODD.
+// Hack:
+// Now we have a special case with iv == 0
+// it sets b to 0 aswell to make sure we get a all zero keystream out
+// which is used in the initialisation phase sending the IV
+// 
+void legic_prng_init(uint8_t iv) {
+	lfsr.a = iv;
 	lfsr.b = 0;  // hack to get a always 0 keystream 
 	lfsr.c = 0;
-	if(init)
-		lfsr.b = (init << 1) | 1;
+	if(iv)
+		lfsr.b = (iv << 1) | 1;
 }

 void legic_prng_forward(int count) {
+	if (count == 0) return;
+	
 	lfsr.c += count;
 	while(count--) {
 		// According: http://www.proxmark.org/forum/viewtopic.php?pid=5437#p5437
@ -38,4 +51,13 @@ uint32_t legic_prng_count() {
 uint8_t legic_prng_get_bit() {
 	uint8_t idx = 7 - ( (lfsr.a & 4) | (lfsr.a >> 2 & 2) | (lfsr.a >> 4 & 1) );
 	return lfsr.b >> idx & 1;
+}
+
+uint32_t legic_prng_get_bits(uint8_t len){
+	uint32_t a = 0;
+	for(uint8_t i = 0; i < len; ++i) {
+		a |= legic_prng_get_bit() << i;
+		legic_prng_forward(1);
+	}
+	return a;
 }
--- a/common/protocols.h
+++ b/common/protocols.h
@ -326,9 +326,10 @@ ISO 7816-4 Basic interindustry commands. For command APDU's.
 #define     MFDES_AUTHENTICATION_FRAME 		 0xAF

 // LEGIC Commands
-#define 	LEGIC_HSK	0x39
-#define		LEGIC_READ	0x01
-#define 	LEGIC_WRITE	0x00
+#define 	LEGIC_HSK_22	0x19
+#define 	LEGIC_HSK_256	0x39
+#define		LEGIC_READ		0x01
+#define 	LEGIC_WRITE		0x00

 void printIclassDumpInfo(uint8_t* iclass_dump);
 void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t *app_areas, uint8_t *kb);