2013-06-07 17:26:56 +08:00
|
|
|
--[[
|
|
|
|
This is an example of Lua-scripting within proxmark3. This is a lua-side
|
2018-01-25 16:51:49 +08:00
|
|
|
implementation of hf mf chk
|
2013-06-07 17:26:56 +08:00
|
|
|
|
|
|
|
This code is licensed to you under the terms of the GNU GPL, version 2 or,
|
|
|
|
at your option, any later version. See the LICENSE.txt file for the text of
|
|
|
|
the license.
|
2018-01-25 16:51:49 +08:00
|
|
|
|
2013-06-07 17:26:56 +08:00
|
|
|
Copyright (C) 2013 m h swende <martin at swende.se>
|
2013-10-02 03:58:42 +08:00
|
|
|
--]]
|
2013-06-07 17:26:56 +08:00
|
|
|
-- Loads the commands-library
|
|
|
|
local cmds = require('commands')
|
|
|
|
-- Load the default keys
|
2017-07-22 20:02:51 +08:00
|
|
|
local keylist = require('mf_default_keys')
|
2013-06-07 21:23:32 +08:00
|
|
|
-- Ability to read what card is there
|
2017-07-22 20:02:51 +08:00
|
|
|
local lib14a = require('read14a')
|
2016-10-17 23:20:33 +08:00
|
|
|
local getopt = require('getopt')
|
2018-01-25 16:51:49 +08:00
|
|
|
-- Asks the user for input
|
2017-07-22 20:02:51 +08:00
|
|
|
local utils = require('utils')
|
2013-10-02 03:58:42 +08:00
|
|
|
|
2016-10-17 23:20:33 +08:00
|
|
|
example =[[
|
|
|
|
script run mfkeys
|
|
|
|
]]
|
2017-07-24 19:00:40 +08:00
|
|
|
author = "Holiman"
|
2016-10-17 23:20:33 +08:00
|
|
|
usage = "script run mfkeys"
|
2018-01-25 16:51:49 +08:00
|
|
|
desc = ("This script implements Mifare check keys.\
|
|
|
|
It utilises a large list of default keys (currently %d keys).\
|
2017-07-22 20:02:51 +08:00
|
|
|
If you want to add more, just put them inside /lualibs/mf_default_keys.lua\n"):format(#keylist) ..
|
2016-10-17 23:20:33 +08:00
|
|
|
[[
|
|
|
|
|
|
|
|
Arguments:
|
|
|
|
-h : this help
|
2017-03-07 02:11:08 +08:00
|
|
|
-p : print keys
|
2016-10-17 23:20:33 +08:00
|
|
|
]]
|
2013-06-07 17:26:56 +08:00
|
|
|
|
|
|
|
local TIMEOUT = 10000 -- 10 seconds
|
2016-10-17 23:20:33 +08:00
|
|
|
---
|
2017-12-21 17:15:10 +08:00
|
|
|
-- This is only meant to be used when errors occur
|
|
|
|
local function oops(err)
|
|
|
|
print('ERROR: ',err)
|
|
|
|
return nil,err
|
|
|
|
end
|
|
|
|
---
|
2016-10-17 23:20:33 +08:00
|
|
|
-- Usage help
|
2017-12-21 17:15:10 +08:00
|
|
|
local function help()
|
2016-10-17 23:20:33 +08:00
|
|
|
print(desc)
|
|
|
|
print("Example usage")
|
|
|
|
print(example)
|
|
|
|
end
|
2017-07-22 20:02:51 +08:00
|
|
|
--
|
|
|
|
-- waits for answer from pm3 device
|
2013-06-07 17:26:56 +08:00
|
|
|
local function checkCommand(command)
|
2017-07-22 20:02:51 +08:00
|
|
|
core.clearCommandBuffer()
|
|
|
|
local usb = command:getBytes()
|
|
|
|
core.SendCommand(usb)
|
|
|
|
local result = core.WaitForResponseTimeout(cmds.CMD_ACK, TIMEOUT)
|
2013-06-07 17:26:56 +08:00
|
|
|
if result then
|
2017-07-22 20:02:51 +08:00
|
|
|
local count, cmd, arg0 = bin.unpack('LL',result)
|
2013-06-07 17:26:56 +08:00
|
|
|
if(arg0==1) then
|
2017-07-22 20:02:51 +08:00
|
|
|
local count, arg1, arg2, data = bin.unpack('LLH511',result,count)
|
2013-06-07 17:26:56 +08:00
|
|
|
key = data:sub(1,12)
|
|
|
|
return key
|
|
|
|
else
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
else
|
2017-07-22 20:02:51 +08:00
|
|
|
print("Timeout while waiting for response. Increase TIMEOUT in mfkeys.lua to wait longer")
|
2013-06-07 17:26:56 +08:00
|
|
|
return nil, "Timeout while waiting for device to respond"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
local function checkBlock(blockno, testkeys, keytype)
|
|
|
|
|
2013-06-07 17:26:56 +08:00
|
|
|
-- The command data is only 512 bytes, each key is 6 bytes, meaning that we can send max 85 keys in one go.
|
|
|
|
-- If there's more, we need to split it up
|
2017-07-22 20:02:51 +08:00
|
|
|
local arg1 = bit32.bor(bit32.lshift(keytype, 8), blockno)
|
|
|
|
|
|
|
|
local start, remaining = 1, #testkeys
|
|
|
|
local chunksize = remaining
|
|
|
|
if remaining > 85 then chunksize = 85 end
|
|
|
|
local n = chunksize
|
|
|
|
|
2013-06-07 17:26:56 +08:00
|
|
|
while remaining > 0 do
|
2017-07-22 20:02:51 +08:00
|
|
|
--print('start', start, 'chunksize', chunksize, 'testkeys kvar', remaining, 'N-index=', n)
|
|
|
|
|
|
|
|
local d1 = table.concat(testkeys, "", start, n)
|
|
|
|
|
|
|
|
print(("Testing block %d, keytype %d, with %d keys"):format(blockno, keytype, chunksize))
|
2018-01-25 16:51:49 +08:00
|
|
|
local command = Command:new{cmd = cmds.CMD_MIFARE_CHKKEYS,
|
2017-07-22 20:02:51 +08:00
|
|
|
arg1 = arg1,
|
2018-01-25 16:51:49 +08:00
|
|
|
arg2 = 0,
|
|
|
|
arg3 = chunksize,
|
2017-07-22 20:02:51 +08:00
|
|
|
data = d1}
|
2013-06-07 17:26:56 +08:00
|
|
|
local status = checkCommand(command)
|
2017-07-22 20:02:51 +08:00
|
|
|
if status then return status, blockno end
|
|
|
|
start = start + chunksize
|
|
|
|
remaining = remaining - chunksize
|
|
|
|
|
|
|
|
if remaining < 85 then chunksize = remaining end
|
|
|
|
n = n + chunksize
|
2013-06-07 17:26:56 +08:00
|
|
|
end
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
-- A function to display the results
|
2017-07-22 20:02:51 +08:00
|
|
|
local function display_results(keys)
|
|
|
|
local sector, keyA, keyB, succA, succB
|
|
|
|
print('')
|
|
|
|
print('|---|----------------|---|----------------|---|')
|
|
|
|
print('|sec|key A |res|key B |res|')
|
|
|
|
print('|---|----------------|---|----------------|---|')
|
2013-06-07 17:26:56 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
for sector = 0, #keys do
|
|
|
|
succA, succB, keyA, keyB = unpack(keys[sector])
|
|
|
|
print(('|%03d| %s | %s | %s | %s |'):format(sector, keyA, succA, keyB, succB))
|
2013-06-07 17:26:56 +08:00
|
|
|
end
|
2017-07-22 20:02:51 +08:00
|
|
|
print('|---|----------------|---|----------------|---|')
|
2013-06-07 17:26:56 +08:00
|
|
|
end
|
|
|
|
-- A little helper to place an item first in the list
|
|
|
|
local function placeFirst(akey, list)
|
2018-01-25 16:51:49 +08:00
|
|
|
akey = akey:lower()
|
|
|
|
if list[1] == akey then
|
2013-06-07 17:26:56 +08:00
|
|
|
-- Already at pole position
|
|
|
|
return list
|
|
|
|
end
|
|
|
|
local result = {akey}
|
|
|
|
--print(("Putting '%s' first"):format(akey))
|
|
|
|
for i,v in ipairs(list) do
|
|
|
|
if v ~= akey then
|
|
|
|
result[#result+1] = v
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return result
|
|
|
|
end
|
2017-07-22 20:02:51 +08:00
|
|
|
--[[
|
|
|
|
The mifare Classic 1k card has 16 sectors of 4 data blocks each.
|
|
|
|
The first 32 sectors of a mifare Classic 4k card consists of 4 data blocks and the remaining
|
|
|
|
8 sectors consist of 16 data blocks.
|
|
|
|
--]]
|
|
|
|
local function get_blockno(s)
|
2013-06-07 17:26:56 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
local b, sector
|
|
|
|
|
|
|
|
if type(s) == 'string' then
|
|
|
|
sector = tonumber(s)
|
|
|
|
else
|
|
|
|
sector = s
|
|
|
|
end
|
|
|
|
|
|
|
|
if sector < 32 then
|
|
|
|
b = sector * 4
|
|
|
|
else
|
|
|
|
b = 32 * 4 + (sector - 32) * 16
|
|
|
|
end
|
|
|
|
return ('%02x'):format(b)
|
|
|
|
end
|
|
|
|
--
|
|
|
|
-- dumps all keys to file
|
|
|
|
local function dumptofile(keys)
|
2018-01-25 16:51:49 +08:00
|
|
|
if utils.confirm('Do you wish to save the keys to dumpfile?') then
|
2017-07-22 20:02:51 +08:00
|
|
|
local destination = utils.input('Select a filename to store to', 'dumpkeys.bin')
|
|
|
|
local file = io.open(destination, 'wb')
|
2018-01-25 16:51:49 +08:00
|
|
|
if file == nil then
|
2017-07-22 20:02:51 +08:00
|
|
|
print('Could not write to file ', destination)
|
2013-10-02 03:58:42 +08:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
local key_a = ''
|
|
|
|
local key_b = ''
|
2018-01-25 16:51:49 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
--for sector,_ in pairs(keys) do
|
|
|
|
for sector = 0, #keys do
|
|
|
|
local succA, succB, keyA, keyB = unpack(keys[sector])
|
|
|
|
key_a = key_a .. bin.pack('H', keyA);
|
|
|
|
key_b = key_b .. bin.pack('H', keyB);
|
2013-10-02 03:58:42 +08:00
|
|
|
end
|
|
|
|
file:write(key_a)
|
|
|
|
file:write(key_b)
|
|
|
|
file:close()
|
|
|
|
end
|
|
|
|
end
|
2017-03-07 02:11:08 +08:00
|
|
|
local function printkeys()
|
2017-07-22 20:02:51 +08:00
|
|
|
for i=1, #keylist do
|
|
|
|
print(i, keylist[i])
|
2017-03-07 02:11:08 +08:00
|
|
|
end
|
2017-07-22 20:02:51 +08:00
|
|
|
print ('Number of keys: '..#keylist)
|
2017-03-07 02:11:08 +08:00
|
|
|
end
|
2017-07-22 20:02:51 +08:00
|
|
|
local function perform_check(numsectors)
|
2013-10-02 03:58:42 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
local keyType = 0 -- A=0, B=1
|
2013-06-07 17:26:56 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
-- empty list of found keys
|
|
|
|
local keys = {}
|
|
|
|
for i = 0, numsectors-1 do
|
|
|
|
keys[i] = {0,0,'',''}
|
|
|
|
end
|
2013-06-07 21:23:32 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
for sector = 0, #keys do
|
|
|
|
-- Check if user aborted
|
|
|
|
if core.ukbhit() then
|
|
|
|
print('Aborted by user')
|
|
|
|
break
|
|
|
|
end
|
2013-06-07 21:23:32 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
local targetblock = tonumber(get_blockno(sector), 16)
|
|
|
|
|
|
|
|
local succA, succB, keyA, keyB = unpack(keys[sector])
|
|
|
|
|
|
|
|
local keyA = checkBlock(targetblock, keylist, 0)
|
2018-01-25 16:51:49 +08:00
|
|
|
if keyA then succA = 1; keylist = placeFirst(keyA, keylist) end
|
2017-07-22 20:02:51 +08:00
|
|
|
keyA = keyA or '------------'
|
2018-01-25 16:51:49 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
local keyB = checkBlock(targetblock, keylist, 1)
|
2018-01-25 16:51:49 +08:00
|
|
|
if keyB then succB = 1; keylist = placeFirst(keyB, keylist) end
|
2017-07-22 20:02:51 +08:00
|
|
|
keyB = keyB or '------------'
|
|
|
|
|
2018-01-25 16:51:49 +08:00
|
|
|
keys[sector] = {succA, succB, keyA, keyB}
|
2017-07-22 20:02:51 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
display_results(keys)
|
2018-01-25 16:51:49 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
-- save to dumpkeys.bin
|
|
|
|
dumptofile(keys)
|
|
|
|
end
|
|
|
|
--
|
|
|
|
-- shows tag information
|
|
|
|
local function taginfo(tag)
|
2013-10-02 03:58:42 +08:00
|
|
|
|
2018-01-25 16:51:49 +08:00
|
|
|
local sectors = 16
|
2017-07-22 20:02:51 +08:00
|
|
|
-- Show tag info
|
|
|
|
print((' Found tag %s'):format(tag.name))
|
2018-01-25 16:51:49 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
if 0x18 == tag.sak then --NXP MIFARE Classic 4k | Plus 4k
|
2018-01-25 16:51:49 +08:00
|
|
|
-- MIFARE Classic 4K offers 4096 bytes split into forty sectors,
|
|
|
|
-- of which 32 are same size as in the 1K with eight more that are quadruple size sectors.
|
2017-07-22 20:02:51 +08:00
|
|
|
sectors = 40
|
|
|
|
elseif 0x08 == tag.sak then -- NXP MIFARE CLASSIC 1k | Plus 2k
|
2013-10-02 03:58:42 +08:00
|
|
|
-- 1K offers 1024 bytes of data storage, split into 16 sector
|
2017-07-22 20:02:51 +08:00
|
|
|
sectors = 16
|
|
|
|
elseif 0x09 == tag.sak then -- NXP MIFARE Mini 0.3k
|
2013-10-02 03:58:42 +08:00
|
|
|
-- MIFARE Classic mini offers 320 bytes split into five sectors.
|
2017-07-22 20:02:51 +08:00
|
|
|
sectors = 5
|
|
|
|
elseif 0x10 == tag.sak then-- "NXP MIFARE Plus 2k"
|
|
|
|
sectors = 32
|
2013-10-02 03:58:42 +08:00
|
|
|
else
|
|
|
|
print("I don't know how many sectors there are on this type of card, defaulting to 16")
|
|
|
|
end
|
2017-07-22 20:02:51 +08:00
|
|
|
return sectors
|
|
|
|
end
|
2018-01-25 16:51:49 +08:00
|
|
|
---
|
2017-07-22 20:02:51 +08:00
|
|
|
-- The main entry point
|
2018-01-25 16:51:49 +08:00
|
|
|
local function main(args)
|
2013-10-02 03:58:42 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
local start_time = os.time()
|
2018-01-25 16:51:49 +08:00
|
|
|
local numSectors = 16
|
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
-- Arguments for the script
|
|
|
|
for o, a in getopt.getopt(args, 'hp') do
|
2018-01-25 16:51:49 +08:00
|
|
|
if o == "h" then return help() end
|
2017-07-22 20:02:51 +08:00
|
|
|
if o == "p" then return printkeys() end
|
2013-06-07 17:26:56 +08:00
|
|
|
end
|
2017-07-22 20:02:51 +08:00
|
|
|
-- identify tag
|
2018-01-25 16:51:49 +08:00
|
|
|
tag, err = lib14a.read(false, true)
|
2017-07-22 20:02:51 +08:00
|
|
|
if not tag then return oops(err) end
|
|
|
|
|
|
|
|
-- detect sectors and print taginfo
|
|
|
|
numsectors = taginfo(tag)
|
2018-01-25 16:51:49 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
perform_check(numsectors)
|
2018-01-25 16:51:49 +08:00
|
|
|
|
2017-07-22 20:02:51 +08:00
|
|
|
local end_time = os.time()
|
2018-01-25 16:51:49 +08:00
|
|
|
print('mfkeys - Total execution time: '..os.difftime(end_time, start_time)..' sec')
|
2013-06-07 17:26:56 +08:00
|
|
|
end
|
|
|
|
|
2018-01-25 16:51:49 +08:00
|
|
|
main( args)
|