proxmark3/client/luascripts/mem_readpwd.lua

149 lines
4.4 KiB
Lua
Raw Normal View History

2019-03-09 17:34:43 +08:00
local getopt = require('getopt')
local bin = require('bin')
2020-04-05 18:49:25 +08:00
local ansicolors = require('ansicolors')
2019-03-09 17:34:43 +08:00
copyright = 'Copyright (c) 2018 Bogito. All rights reserved.'
2019-04-29 01:51:25 +08:00
author = 'Bogito'
2020-04-05 18:49:25 +08:00
version = 'v1.0.4'
desc = [[
2019-11-09 01:44:52 +08:00
This script will read the flash memory of RDV4 and print the stored passwords/keys.
It was meant to be used as a help tool after using the BogRun standalone mode before SPIFFS.
2020-09-23 06:11:11 +08:00
You should now use data_read_pwd_mem_spiffs instead after the updated BogRun standalone mode.
2019-03-09 17:34:43 +08:00
(Iceman) script adapted to read and print keys in the default dictionary flashmemory sections.
]]
2020-04-05 18:49:25 +08:00
example = [[
2019-03-09 17:34:43 +08:00
-- This will scan the first 256 bytes of flash memory for stored passwords
script run mem_readpwd
2019-03-09 17:34:43 +08:00
-- This will scan 256 bytes of flash memory at offset 64 for stored passwords
script run mem_readpwd -o 64
2019-03-09 17:34:43 +08:00
-- This will scan 32 bytes of flash memory at offset 64 for stored passwords
script run mem_readpwd -o 64 -l 32
2019-03-09 17:34:43 +08:00
2019-11-09 01:44:52 +08:00
-- This will print the stored Mifare dictionary keys
script run mem_readpwd -m
2019-12-03 21:53:08 +08:00
2019-11-09 01:44:52 +08:00
-- This will print the stored t55xx dictionary passwords
script run mem_readpwd -t
2019-12-03 21:53:08 +08:00
2019-11-09 01:44:52 +08:00
-- This will print the stored iClass dictionary keys
script run mem_readpwd -i
2019-03-09 17:34:43 +08:00
]]
2020-04-05 18:49:25 +08:00
usage = [[
script run mem_readpwd [-h] [-o <offset>] [-l <length>] [-k <keylength>] [-m] [-t] [-i]
2020-04-05 18:49:25 +08:00
]]
arguments = [[
2019-04-29 01:51:25 +08:00
-h : this help
-o <offset> : memory offset, default is 0
-l <length> : length in bytes, default is 256
-k <keylen> : key length in bytes <4|6|8> , default is 4
-m : print Mifare dictionary keys
-t : print t55xx dictionary passwords
-i : print iClass dictionary keys
]]
2019-03-09 17:34:43 +08:00
---
-- This is only meant to be used when errors occur
local function oops(err)
2019-04-29 01:51:25 +08:00
print('ERROR:', err)
core.clearCommandBuffer()
2019-03-09 17:34:43 +08:00
return nil, err
end
---
-- Usage help
local function help()
print(copyright)
2019-04-29 01:51:25 +08:00
print(author)
2019-03-09 17:34:43 +08:00
print(version)
print(desc)
2020-04-05 18:49:25 +08:00
print(ansicolors.cyan..'Usage'..ansicolors.reset)
2019-04-29 01:51:25 +08:00
print(usage)
2020-04-05 18:49:25 +08:00
print(ansicolors.cyan..'Arguments'..ansicolors.reset)
print(arguments)
print(ansicolors.cyan..'Example usage'..ansicolors.reset)
print(example)
2019-03-09 17:34:43 +08:00
end
---
-- The main entry point
local function main(args)
print( string.rep('--',20) )
print( string.rep('--',20) )
print()
local data, err, quadlet
local offset = 0
local length = 256
local keylength = 4
local usedkey = false
for o, a in getopt.getopt(args, 'ho:l:k:mti') do
-- help
2019-04-29 01:51:25 +08:00
if o == 'h' then return help() end
2019-03-09 17:34:43 +08:00
-- offset
2019-04-29 01:51:25 +08:00
if o == 'o' then offset = tonumber(a) end
2019-03-09 17:34:43 +08:00
-- num of bytes to read
2019-07-16 21:10:11 +08:00
if o == 'l' then
2019-07-24 06:52:24 +08:00
length = tonumber(a)
if length < 0 or length > 256 then
return oops('Error: Length is not valid. Must be less than 256')
end
end
2019-03-09 17:34:43 +08:00
-- keylength
2019-04-29 01:51:25 +08:00
if o == 'k' then keylength = tonumber(a); usedkey = true end
2019-03-09 17:34:43 +08:00
if o == 'm' then keylength = 6; usedkey = true; length = 8192; offset = 0x3F000-0x6000; end
if o == 't' then keylength = 4; usedkey = true; length = 4096; offset = 0x3F000-0x3000; end
if o == 'i' then keylength = 8; usedkey = true; length = 4096; offset = 0x3F000-0x4000; end
2019-03-09 17:34:43 +08:00
end
if (offset < 0) or (offset % 4 ~= 0) then
return oops('Error: Offset is not valid. Mod-4 values are only allowed.')
end
print('Memory offset', offset)
print('Length ', length)
print('Key length ', keylength)
print( string.rep('--', 20) )
2019-03-09 17:34:43 +08:00
data, err = core.GetFromFlashMem(offset, length)
if err then return oops(err) end
if usedkey then
_, keys, s = bin.unpack('SH'..length-2, data)
if keys == 0xFFFF then return "No keys found in section" end
local kl = keylength * 2
for i = 1, keys do
key = string.sub(s, (i - 1) * kl + 1, i * kl )
2019-04-29 01:51:25 +08:00
print(string.format('[%02d] %s',i, key))
2019-03-09 17:34:43 +08:00
end
print( string.rep('--',20) )
print( ('[+] found %d passwords'):format(keys))
else
_, s = bin.unpack('H'..length, data)
local cnt = 0, i
for i = 1, (length/keylength) do
key = string.sub(s, (i-1)*8+1, i*8)
2019-04-29 01:51:25 +08:00
if key == 'FFFFFFFF' then break end
print(string.format('[%02d] %s',i, key))
2019-03-09 17:34:43 +08:00
cnt = cnt + 1
end
print( string.rep('--',20) )
print( ('[+] found %d passwords'):format(cnt))
end
print( string.rep('--',20) )
end
main(args)