RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-03-22 05:00:29 +08:00
Code Issues Projects Releases Packages Wiki Activity

Updated tnp3.lua

Browse source 
added some possibilities to abort the "hf mf nested" command
added a rudimentary items identification for tnp3xxx
This commit is contained in:
iceman1001 2014-11-09 17:22:04 +01:00
parent 9b989c45b9
commit 22f1c57786
6 changed files with 195 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
armsrc/mifarecmd.c
View file

@ -558,6 +558,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
// statistics on nonce distance // statistics on nonce distance
if (calibrate) { // for first call only. Otherwise reuse previous calibration if (calibrate) { // for first call only. Otherwise reuse previous calibration
LED_B_ON(); LED_B_ON();
WDT_HIT();
davg = dmax = 0; davg = dmax = 0;
dmin = 2000; dmin = 2000;
@ -596,10 +597,10 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
continue; continue;
}; };
nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160 nttmp = prng_successor(nt1, 140); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
for (i = 101; i < 1200; i++) { for (i = 141; i < 1200; i++) {
nttmp = prng_successor(nttmp, 1); nttmp = prng_successor(nttmp, 1);
if (nttmp == nt2) break; if (nttmp == nt2) {break;}
} }
if (i != 1200) { if (i != 1200) {
@ -634,6 +635,15 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
// get crypted nonces for target sector // get crypted nonces for target sector
for(i=0; i < 2; i++) { // look for exactly two different nonces for(i=0; i < 2; i++) { // look for exactly two different nonces
WDT_HIT();
if(BUTTON_PRESS()) {
DbpString("Nested: cancelled");
crypto1_destroy(pcs);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
return;
}
target_nt[i] = 0; target_nt[i] = 0;
while(target_nt[i] == 0) { // continue until we have an unambiguous nonce while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
@ -704,8 +714,8 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
crypto1_destroy(pcs); crypto1_destroy(pcs);
// add trace trailer // add trace trailer
memset(uid, 0x44, 4); // memset(uid, 0x44, 4);
LogTrace(uid, 4, 0, 0, TRUE); // LogTrace(uid, 4, 0, 0, TRUE);
byte_t buf[4 + 4 * 4]; byte_t buf[4 + 4 * 4];
memcpy(buf, &cuid, 4); memcpy(buf, &cuid, 4);

83
client/.history
View file

@ -9,3 +9,86 @@ lf t55xx rd 2
lf em4x 410xsim 124s lf em4x 410xsim 124s
lf em4x 410xsim 0F0368568B lf em4x 410xsim 0F0368568B
da pl da pl
scr run sky
script list
scr run mifare_autopwn
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3 -n
scr run tnp3
scr run tnp3 -n
hf mf nested 0 a 4b0b20107ccb d
hf mf nested 1 0 a 4b0b20107ccb d
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3
scr run tnp3 -n
scr run tnp3
hf mf nested 1 0 a 4b0b20107ccb d
scr run tnp3

16
client/cmdhfmf.c
View file

@ -36,7 +36,6 @@ start:
//flush queue //flush queue
while (ukbhit()) getchar(); while (ukbhit()) getchar();
// wait cycle // wait cycle
while (true) { while (true) {
printf("."); printf(".");
@ -849,8 +848,6 @@ int CmdHF14AMfNested(const char *Cmd)
trgKeyType = 1; trgKeyType = 1;
} else { } else {
switch (cmdp) { switch (cmdp) {
case '0': SectorsCnt = 05; break; case '0': SectorsCnt = 05; break;
case '1': SectorsCnt = 16; break; case '1': SectorsCnt = 16; break;
@ -935,20 +932,26 @@ int CmdHF14AMfNested(const char *Cmd)
} }
} }
// nested sectors // nested sectors
iterations = 0; iterations = 0;
PrintAndLog("nested..."); PrintAndLog("nested...");
bool calibrate = true; bool calibrate = true;
for (i = 0; i < NESTED_SECTOR_RETRY; i++) { for (i = 0; i < NESTED_SECTOR_RETRY; i++) {
for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) { for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
if (ukbhit()) {
printf("\naborted via keyboard!\n");
free(e_sector);
return 2;
}
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) {
if (e_sector[sectorNo].foundKey[trgKeyType]) continue; if (e_sector[sectorNo].foundKey[trgKeyType]) continue;
PrintAndLog("-----------------------------------------------"); PrintAndLog("-----------------------------------------------");
if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) { if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {
PrintAndLog("Nested error.\n"); PrintAndLog("Nested error.\n");
return 2; free(e_sector);
} return 2; }
else { else {
calibrate = false; calibrate = false;
} }
@ -1021,7 +1024,6 @@ int CmdHF14AMfNested(const char *Cmd)
free(e_sector); free(e_sector);
} }
return 0; return 0;
} }

63
client/lualibs/default_toys.lua Normal file
View file

@ -0,0 +1,63 @@
local _names = {
--[[
--]]
["0400"]="BASH",
["1600"]="BOOMER" ,
["1800"]="CAMO",
["3000"]="CHOPCHOP" ,
["2000"]="CYNDER",
["6400"]="JET-VAC",
["6700"]="FLASHWING",
["7000"]="TREE REX",
["7100"]="LIGHTCORE SHROOMBOOM",
["1C00"]="DARK SPYRO",
["0600"]="DINORANG" ,
["1200"]="DOUBLE TROUBLE" ,
["1500"]="DRILLSERGEANT" ,
["1400"]="DROBOT",
["0900"]="LIGHTCORE ERUPTOR" ,
["0B00"]="FLAMESLINGER" ,
["1F00"]="GHOST ROASTER",
["0E00"]="GILL GRUNT" ,
["1D00"]="HEX",
["0A00"]="IGNITOR",
["0300"]="LIGHTNINGROD",
["0700"]="LIGHTCORE PRISM BREAK",
["1500"]="SLAMBAM",
["0100"]="SONIC BOOM",
["1000"]="SPYRO",
["1A00"]="STEALTH ELF",
["1B00"]="STUMP SMASH",
["0800"]="SUNBURN",
["0500"]="TERRAFIN",
["1300"]="TRIGGER HAPPY",
["1100"]="VOODOOD",
["0200"]="WARNADO",
["0D00"]="WHAM SHELL",
["0000"]="WHIRLWIND",
["1700"]="WRECKING BALL",
["0C00"]="ZAP",
["1900"]="ZOOK",
["0300"]="DRAGON",
["012D"]="ICE",
["012E"]="PIRATE",
["0130"]="PVPUNLOCK",
["012F"]="UNDEAD",
["0200"]="ANVIL" ,
["CB00"]="CROSSED SWORDS",
["CC00"]="HOURGLASS",
["CA00"]="REGENERATION",
["C900"]="SECRET STASH",
["CD00"]="SHIELD",
["CF00"]="SPARX",
["CE00"]="SPEED BOOTS",
["0194"]="LEGENDARY BASH",
["0430"]="LEGENDARY CHOPCHOP",
["01A0"]="LEGENDARY SPYRO",
["01A3"]="LEGENDARY TRIGGER HAPPY",
["0202"]="PET GILL GRUNT",
["020E"]="PET STEALTH ELF",
["01F9"]="PET TERRAFIN",
["0207"]="PET TRIGGER HAPPY",
}
return _names

7
client/mifarehost.c
View file

@ -26,8 +26,6 @@ int compar_int(const void * a, const void * b) {
else return -1; else return -1;
} }
// Compare 16 Bits out of cryptostate // Compare 16 Bits out of cryptostate
int Compare16Bits(const void * a, const void * b) { int Compare16Bits(const void * a, const void * b) {
if ((*(uint64_t*)b & 0x00ff000000ff0000) == (*(uint64_t*)a & 0x00ff000000ff0000)) return 0; if ((*(uint64_t*)b & 0x00ff000000ff0000) == (*(uint64_t*)a & 0x00ff000000ff0000)) return 0;
@ -35,7 +33,6 @@ int Compare16Bits(const void * a, const void * b) {
else return -1; else return -1;
} }
typedef typedef
struct { struct {
union { union {
@ -70,16 +67,12 @@ void* nested_worker_thread(void *arg)
return statelist->head.slhead; return statelist->head.slhead;
} }
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate) int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate)
{ {
uint16_t i, len; uint16_t i, len;
uint32_t uid; uint32_t uid;
UsbCommand resp; UsbCommand resp;
StateList_t statelists[2]; StateList_t statelists[2];
struct Crypto1State *p1, *p2, *p3, *p4; struct Crypto1State *p1, *p2, *p3, *p4;

27
client/scripts/tnp3.lua
View file

@ -4,6 +4,7 @@ local bin = require('bin')
local lib14a = require('read14a') local lib14a = require('read14a')
local utils = require('utils') local utils = require('utils')
local md5 = require('md5') local md5 = require('md5')
local toyNames = require('default_toys')
example =[[ example =[[
1. script run tnp3 1. script run tnp3
@ -92,8 +93,8 @@ end
local function main(args) local function main(args)
print( string.rep('--',20) ) print( string.rep('--',20) )
print( string.rep('--',20) ) --print( string.rep('--',20) )
print() --print()
local keyA local keyA
local cmd local cmd
@ -115,26 +116,29 @@ local function main(args)
return oops( string.format('Wrong length of write key (was %d) expected 12', #keyA)) return oops( string.format('Wrong length of write key (was %d) expected 12', #keyA))
end end
-- Turn off Debug
local cmdSetDbgOff = "hf mf dbg 0"
core.console( cmdSetDbgOff)
result, err = lib14a.read1443a(false) result, err = lib14a.read1443a(false)
if not result then if not result then
return oops(err) return oops(err)
end end
print((' Found tag : %s'):format(result.name))
core.clearCommandBuffer() core.clearCommandBuffer()
if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
return oops('This is not a TNP3xxx tag. aborting.') return oops('This is not a TNP3xxx tag. aborting.')
end end
print((' Found tag : %s'):format(result.name))
-- Show info -- Show info
print(('Using keyA : %s'):format(keyA)) print(('Using keyA : %s'):format(keyA))
print( string.rep('--',20) ) print( string.rep('--',20) )
--Trying to find the other keys
if useNested then if useNested then
print('Trying to find keys.')
core.console( ('hf mf nested 1 0 A %s d'):format(keyA) ) core.console( ('hf mf nested 1 0 A %s d'):format(keyA) )
end end
@ -165,6 +169,8 @@ local function main(args)
local blockNo local blockNo
local blocks = {} local blocks = {}
print('Reading card data')
-- main loop -- main loop
for blockNo = 0, numBlocks-1, 1 do for blockNo = 0, numBlocks-1, 1 do
@ -188,8 +194,7 @@ local function main(args)
-- Block 0-7 not encrypted -- Block 0-7 not encrypted
blocks[blockNo+1] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata) blocks[blockNo+1] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata)
else else
local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant) local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant) local md5hash = md5.sumhexa(base)
local md5hash = md5.sumhexa(base)
local aestest = core.aes(md5hash, blockdata) local aestest = core.aes(md5hash, blockdata)
local _,hex = bin.unpack(("H%d"):format(16),aestest) local _,hex = bin.unpack(("H%d"):format(16),aestest)
@ -215,6 +220,12 @@ local function main(args)
end end
-- Print results -- Print results
local uid = block0:sub(1,8)
local itemtype = block1:sub(1,4)
local cardid = block1:sub(9,24)
print( (' UID : %s'):format(uid) )
print( (' ITEM TYPE : %s - %s'):format(itemtype, toyNames[itemtype]) )
print( (' CARDID : %s'):format(cardid ) )
print('BLK :: DATA DECRYPTED' ) print('BLK :: DATA DECRYPTED' )
print( string.rep('--',36) ) print( string.rep('--',36) )
for _,s in pairs(blocks) do for _,s in pairs(blocks) do