RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-11-15 06:09:13 +08:00
Code Issues Projects Releases Packages Wiki Activity

python script: added few FIXME

Browse source
This commit is contained in:
Philippe Teuwen 2024-11-07 17:34:56 +01:00
parent 2293874402
commit 13c8ca76fc
1 changed files with 16 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
client/pyscripts/fm11rf08_full.py
View file

@ -110,6 +110,9 @@ def main():
lprint("Fudan FM11RF08[S] full card recovery") lprint("Fudan FM11RF08[S] full card recovery")
lprint(f"\nDump folder: {dpath}") lprint(f"\nDump folder: {dpath}")
# FIXME: script is announced as for RF08 and for RF08S but it comprises RF32N key
# and if RF08 is supported, all other NXP/Infineon with same backdoor can be treated
# by the same script (once properly implemented, see other FIXME)
bdkey, blk0 = getBackdoorKey() bdkey, blk0 = getBackdoorKey()
if bdkey is None: if bdkey is None:
return return
@ -120,10 +123,13 @@ def main():
mad = False mad = False
keyfile = f"{dpath}hf-mf-{uid.hex().upper()}-key.bin" keyfile = f"{dpath}hf-mf-{uid.hex().upper()}-key.bin"
# FIXME: nr of sectors depend on the tag. RF32N is 40, RF32 is 64, RF08 is 16, RF08S is 16+1
# Currently loadKeys is hardcoded for RF08S
if args.force or (key := loadKeys(keyfile)) is None: if args.force or (key := loadKeys(keyfile)) is None:
if args.recover is False: if args.recover is False:
lprint("* Keys not loaded, use --recover to run recovery script [slow]") lprint("* Keys not loaded, use --recover to run recovery script [slow]")
else: else:
# FIXME: recovery() is only for RF08S. TODO for the other ones with a "darknested" attack
keyfile = recoverKeys() keyfile = recoverKeys()
key = loadKeys(keyfile) key = loadKeys(keyfile)
@ -134,12 +140,17 @@ def main():
lprint("! Use --nokeys to keep going past this point") lprint("! Use --nokeys to keep going past this point")
return return
# FIXME: nr of blocks depend on the tag. RF32 is 256, RF08 is 64, RF08S is 64+8
# Currently readBlocks is hardcoded for RF08S
data, blkn = readBlocks(bdkey) data, blkn = readBlocks(bdkey)
data = patchKeys(data, key) data = patchKeys(data, key)
dump18 = diskDump(data, uid, dpath) # save it before you do anything else dump18 = diskDump(data, uid, dpath) # save it before you do anything else
dumpData(data, blkn) dumpData(data, blkn)
# FIXME: nr of blocks depend on the tag. RF32 is 256, RF08 is 64, RF08S is 64+8,
# Currently dumpAcl is hardcoded for RF08S
dumpAcl(data) dumpAcl(data)
if mad is True: if mad is True:
@ -242,7 +253,7 @@ def getUIDfromBlock0(blk0):
# Extract data from block 0 # Extract data from block 0
# ============================================================================== # ==============================================================================
def decodeBlock0(blk0): def decodeBlock0(blk0):
lprint("") lprint()
lprint(" UID BCC ++----- RF08 ID -----++") lprint(" UID BCC ++----- RF08 ID -----++")
lprint(" ! ! SAK !! !!") lprint(" ! ! SAK !! !!")
lprint(" ! ! ! ATQA !! Fudan Sig !!") lprint(" ! ! ! ATQA !! Fudan Sig !!")
@ -403,7 +414,7 @@ def recoverKeys():
lprint(f"[{kn}/", end='', prompt='') lprint(f"[{kn}/", end='', prompt='')
lprint("A]" if ab == 0 else "B]", end='', prompt='') lprint("A]" if ab == 0 else "B]", end='', prompt='')
if badrk > 0: if badrk > 0:
lprint("") lprint()
return keyfile return keyfile
@ -788,15 +799,16 @@ def dumpBambu(data):
# IF YOU PLAN TO CHANGE ACCESS BITS, RTFM, THERE IS MUCH TO CONSIDER ! # IF YOU PLAN TO CHANGE ACCESS BITS, RTFM, THERE IS MUCH TO CONSIDER !
# ============================================================================== # ==============================================================================
def dumpAcl(data): def dumpAcl(data):
global blkn
aclkh = [] # key header aclkh = [] # key header
aclk = [""] * 8 # key lookup aclk = [""] * 8 # key lookup
aclkx = [] # key output aclkx = [] # key output
lprint("\n=====================") lprint()
lprint("=====================")
lprint(" Access Control List") lprint(" Access Control List")
lprint("=====================") lprint("=====================")
lprint()
aclkh.append(" _______________________________________________________ ") aclkh.append(" _______________________________________________________ ")
aclkh.append("| | Sector Trailers |") aclkh.append("| | Sector Trailers |")