RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-03-19 19:38:52 +08:00
Code Issues Projects Releases Packages Wiki Activity

Updated tnp3.lua

Browse source 
added some possibilities to abort the "hf mf nested" command
added a rudimentary items identification for tnp3xxx
This commit is contained in:
iceman1001 2014-11-09 17:22:04 +01:00
parent 9b989c45b9
commit 22f1c57786
6 changed files with 195 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
armsrc/mifarecmd.c
View file

@ -76,7 +76,7 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// ----------------------------- crypto1 destroy
crypto1_destroy(pcs);
if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
LED_B_ON();
cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
@ -558,6 +558,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
// statistics on nonce distance
if (calibrate) { // for first call only. Otherwise reuse previous calibration
LED_B_ON();
WDT_HIT();
davg = dmax = 0;
dmin = 2000;
@ -596,10 +597,10 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
continue;
};
nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
for (i = 101; i < 1200; i++) {
nttmp = prng_successor(nt1, 140); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
for (i = 141; i < 1200; i++) {
nttmp = prng_successor(nttmp, 1);
if (nttmp == nt2) break;
if (nttmp == nt2) {break;}
}
if (i != 1200) {
@ -615,7 +616,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
}
}
if (rtr <= 1) return;
if (rtr <= 1) return;
davg = (davg + (rtr - 1)/2) / (rtr - 1);
@ -634,9 +635,18 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
// get crypted nonces for target sector
for(i=0; i < 2; i++) { // look for exactly two different nonces
WDT_HIT();
if(BUTTON_PRESS()) {
DbpString("Nested: cancelled");
crypto1_destroy(pcs);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
return;
}
target_nt[i] = 0;
while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
// prepare next select. No need to power down the card.
if(mifare_classic_halt(pcs, cuid)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
@ -697,15 +707,15 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
}
}
LED_C_OFF();
// ----------------------------- crypto1 destroy
crypto1_destroy(pcs);
// add trace trailer
memset(uid, 0x44, 4);
LogTrace(uid, 4, 0, 0, TRUE);
// memset(uid, 0x44, 4);
// LogTrace(uid, 4, 0, 0, TRUE);
byte_t buf[4 + 4 * 4];
memcpy(buf, &cuid, 4);

83
client/.history
View file

@ -9,3 +9,86 @@ lf t55xx rd 2
lf em4x 410xsim 124s
lf em4x 410xsim 0F0368568B
da pl
scr run sky
script list
scr run mifare_autopwn
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3 -n
scr run tnp3
scr run tnp3 -n
hf mf nested 0 a 4b0b20107ccb d
hf mf nested 1 0 a 4b0b20107ccb d
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3 -n
scr run tnp3
hf mf nested 1 0 a 4b0b20107ccb d
scr run tnp3

20
client/cmdhfmf.c
View file

@ -36,7 +36,6 @@ start:
//flush queue
while (ukbhit()) getchar();
// wait cycle
while (true) {
printf(".");
@ -848,9 +847,7 @@ int CmdHF14AMfNested(const char *Cmd)
if (ctmp != 'A' && ctmp != 'a')
trgKeyType = 1;
} else {
switch (cmdp) {
case '0': SectorsCnt = 05; break;
case '1': SectorsCnt = 16; break;
@ -935,20 +932,26 @@ int CmdHF14AMfNested(const char *Cmd)
}
}
// nested sectors
iterations = 0;
PrintAndLog("nested...");
bool calibrate = true;
for (i = 0; i < NESTED_SECTOR_RETRY; i++) {
for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
if (ukbhit()) {
printf("\naborted via keyboard!\n");
free(e_sector);
return 2;
}
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) {
if (e_sector[sectorNo].foundKey[trgKeyType]) continue;
PrintAndLog("-----------------------------------------------");
if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {
PrintAndLog("Nested error.\n");
return 2;
}
free(e_sector);
return 2; }
else {
calibrate = false;
}
@ -1018,10 +1021,9 @@ int CmdHF14AMfNested(const char *Cmd)
}
fclose(fkeys);
}
free(e_sector);
}
return 0;
}

63
client/lualibs/default_toys.lua Normal file
View file

@ -0,0 +1,63 @@
local _names = {
--[[
--]]
["0400"]="BASH",
["1600"]="BOOMER" ,
["1800"]="CAMO",
["3000"]="CHOPCHOP" ,
["2000"]="CYNDER",
["6400"]="JET-VAC",
["6700"]="FLASHWING",
["7000"]="TREE REX",
["7100"]="LIGHTCORE SHROOMBOOM",
["1C00"]="DARK SPYRO",
["0600"]="DINORANG" ,
["1200"]="DOUBLE TROUBLE" ,
["1500"]="DRILLSERGEANT" ,
["1400"]="DROBOT",
["0900"]="LIGHTCORE ERUPTOR" ,
["0B00"]="FLAMESLINGER" ,
["1F00"]="GHOST ROASTER",
["0E00"]="GILL GRUNT" ,
["1D00"]="HEX",
["0A00"]="IGNITOR",
["0300"]="LIGHTNINGROD",
["0700"]="LIGHTCORE PRISM BREAK",
["1500"]="SLAMBAM",
["0100"]="SONIC BOOM",
["1000"]="SPYRO",
["1A00"]="STEALTH ELF",
["1B00"]="STUMP SMASH",
["0800"]="SUNBURN",
["0500"]="TERRAFIN",
["1300"]="TRIGGER HAPPY",
["1100"]="VOODOOD",
["0200"]="WARNADO",
["0D00"]="WHAM SHELL",
["0000"]="WHIRLWIND",
["1700"]="WRECKING BALL",
["0C00"]="ZAP",
["1900"]="ZOOK",
["0300"]="DRAGON",
["012D"]="ICE",
["012E"]="PIRATE",
["0130"]="PVPUNLOCK",
["012F"]="UNDEAD",
["0200"]="ANVIL" ,
["CB00"]="CROSSED SWORDS",
["CC00"]="HOURGLASS",
["CA00"]="REGENERATION",
["C900"]="SECRET STASH",
["CD00"]="SHIELD",
["CF00"]="SPARX",
["CE00"]="SPEED BOOTS",
["0194"]="LEGENDARY BASH",
["0430"]="LEGENDARY CHOPCHOP",
["01A0"]="LEGENDARY SPYRO",
["01A3"]="LEGENDARY TRIGGER HAPPY",
["0202"]="PET GILL GRUNT",
["020E"]="PET STEALTH ELF",
["01F9"]="PET TERRAFIN",
["0207"]="PET TRIGGER HAPPY",
}
return _names

7
client/mifarehost.c
View file

@ -26,8 +26,6 @@ int compar_int(const void * a, const void * b) {
else return -1;
}
// Compare 16 Bits out of cryptostate
int Compare16Bits(const void * a, const void * b) {
if ((*(uint64_t*)b & 0x00ff000000ff0000) == (*(uint64_t*)a & 0x00ff000000ff0000)) return 0;
@ -35,7 +33,6 @@ int Compare16Bits(const void * a, const void * b) {
else return -1;
}
typedef
struct {
union {
@ -70,15 +67,11 @@ void* nested_worker_thread(void *arg)
return statelist->head.slhead;
}
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate)
{
uint16_t i, len;
uint32_t uid;
UsbCommand resp;
StateList_t statelists[2];
struct Crypto1State *p1, *p2, *p3, *p4;

27
client/scripts/tnp3.lua
View file

@ -4,6 +4,7 @@ local bin = require('bin')
local lib14a = require('read14a')
local utils = require('utils')
local md5 = require('md5')
local toyNames = require('default_toys')
example =[[
1. script run tnp3
@ -92,8 +93,8 @@ end
local function main(args)
print( string.rep('--',20) )
print( string.rep('--',20) )
print()
--print( string.rep('--',20) )
--print()
local keyA
local cmd
@ -114,27 +115,30 @@ local function main(args)
if #(keyA) ~= 12 then
return oops( string.format('Wrong length of write key (was %d) expected 12', #keyA))
end
-- Turn off Debug
local cmdSetDbgOff = "hf mf dbg 0"
core.console( cmdSetDbgOff)
result, err = lib14a.read1443a(false)
if not result then
return oops(err)
end
print((' Found tag : %s'):format(result.name))
core.clearCommandBuffer()
if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
return oops('This is not a TNP3xxx tag. aborting.')
end
print((' Found tag : %s'):format(result.name))
-- Show info
print(('Using keyA : %s'):format(keyA))
print( string.rep('--',20) )
--Trying to find the other keys
if useNested then
print('Trying to find keys.')
core.console( ('hf mf nested 1 0 A %s d'):format(keyA) )
end
@ -165,6 +169,8 @@ local function main(args)
local blockNo
local blocks = {}
print('Reading card data')
-- main loop
for blockNo = 0, numBlocks-1, 1 do
@ -188,8 +194,7 @@ local function main(args)
-- Block 0-7 not encrypted
blocks[blockNo+1] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata)
else
local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant)
local md5hash = md5.sumhexa(base)
local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant) local md5hash = md5.sumhexa(base)
local aestest = core.aes(md5hash, blockdata)
local _,hex = bin.unpack(("H%d"):format(16),aestest)
@ -215,6 +220,12 @@ local function main(args)
end
-- Print results
local uid = block0:sub(1,8)
local itemtype = block1:sub(1,4)
local cardid = block1:sub(9,24)
print( (' UID : %s'):format(uid) )
print( (' ITEM TYPE : %s - %s'):format(itemtype, toyNames[itemtype]) )
print( (' CARDID : %s'):format(cardid ) )
print('BLK :: DATA DECRYPTED' )
print( string.rep('--',36) )
for _,s in pairs(blocks) do