From 94236fa02c4e20f4e2cf6a5a60b6e840b55d95e8 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 7 Jul 2021 13:39:52 +0200 Subject: [PATCH] added ht_reblay support python scripts (@salmg) --- CHANGELOG.md | 1 + tools/pm3_reblay-emulating.py | 55 ++++++++++++++++++++++++++++ tools/pm3_reblay-reading.py | 69 +++++++++++++++++++++++++++++++++++ 3 files changed, 125 insertions(+) create mode 100644 tools/pm3_reblay-emulating.py create mode 100644 tools/pm3_reblay-reading.py diff --git a/CHANGELOG.md b/CHANGELOG.md index 321bef66c..17d45f1e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Added support python scripts (@salmg) - Add new standalone mode `hf_reblay` - relay 14a over bt (@salmg) - Added one new key from gun cloner found in wild (@scott4290) - Fix `hf_msdsal` standalone in simulation flow (@salmg) diff --git a/tools/pm3_reblay-emulating.py b/tools/pm3_reblay-emulating.py new file mode 100644 index 000000000..280d5ccb2 --- /dev/null +++ b/tools/pm3_reblay-emulating.py @@ -0,0 +1,55 @@ +""" +//----------------------------------------------------------------------------- +// Salvador Mendoza (salmg.net), 2021 +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Code to test Proxmark3 Standalone mode aka reblay by Salvador Mendoza +//----------------------------------------------------------------------------- +""" + +import serial +from smartcard.util import toHexString, toBytes +from smartcard.CardType import AnyCardType +from smartcard.CardRequest import CardRequest + +ser = serial.Serial('/dev/rfcomm0') # open Proxmark3 Bluetooth port + +def pd(data): + rapdu = map(ord, data) + return rapdu + +apdu = [ + [0x6F, 0x23, 0x84, 0x0E, 0x32, 0x50, 0x41, 0x59, 0x2E, 0x53, 0x59, 0x53, 0x2E, 0x44, 0x44, 0x46, 0x30, 0x31, 0xA5, 0x11, 0xBF, 0x0C, 0x0E, 0x61, 0x0C, 0x4F, 0x07, 0xA0, 0x00, 0x00, 0x00, 0x03, 0x10, 0x10, 0x87, 0x01, 0x01, 0x90, 0x00], + [0x6F, 0x1E, 0x84, 0x07, 0xA0, 0x00, 0x00, 0x00, 0x03, 0x10, 0x10, 0xA5, 0x13, 0x50, 0x0B, 0x56, 0x49, 0x53, 0x41, 0x20, 0x43, 0x52, 0x45, 0x44, 0x49, 0x54, 0x9F, 0x38, 0x03, 0x9F, 0x66, 0x02, 0x90, 0x00], + [0x80, 0x06, 0x00, 0x80, 0x08, 0x01, 0x01, 0x00, 0x90, 0x00], + [0x70,0x15,0x57,0x13,0x46,0x50,0x98,0x29,0x81,0x62,0x29,0x58,0xd2,0x40,0x32,0x01,0x14,0x69,0x00,0x00,0x13,0x83,0x44,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x8f,0x90,0x00], + [0x6f, 0x00], + [0x6f, 0x00] +] + +print('Testing code: bluetooth has to be connected with the right rfcomm port!') +print('Waiting for data...') +initd = ser.read(1) + +bufferlen = pd(initd)[0] +rping = ser.read(bufferlen) +ping = pd(rping) + +print('Terminal command:'), +print(toHexString(ping)) + +for x in apdu: + print('Sending cmd: '), + ser.write(x) + print(toHexString(x)) + print('--') + + lenpk = ser.read(1) #first byte is the buffer length + bufferlen = pd(lenpk)[0] + + buffer = pd(ser.read(bufferlen)) + print('Terminal command:'), + print(toHexString(buffer)) diff --git a/tools/pm3_reblay-reading.py b/tools/pm3_reblay-reading.py new file mode 100644 index 000000000..b7a2fa615 --- /dev/null +++ b/tools/pm3_reblay-reading.py @@ -0,0 +1,69 @@ +""" +//----------------------------------------------------------------------------- +// Salvador Mendoza (salmg.net), 2021 +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Code to test Proxmark3 Standalone mode aka reblay by Salvador Mendoza +//----------------------------------------------------------------------------- +""" + +import serial +from smartcard.util import toHexString + +ser = serial.Serial('/dev/rfcomm0') # open Proxmark3 Bluetooth port + +def pd(data): + rapdu = map(ord, data) + return rapdu + +apdu = [ + [0x00, 0xA4, 0x04, 0x00, 0x0e, 0x32, 0x50, 0x41, 0x59, 0x2e, 0x53, 0x59, 0x53, 0x2e, 0x44, 0x44, 0x46, 0x30, 0x31, 0x00], # PPSE + [0x00, 0xA4, 0x04, 0x00, 0x07, 0xa0, 0x00, 0x00, 0x00, 0x03, 0x10, 0x10, 0x00], # Visa card + [0x80, 0xA8, 0x00, 0x00, 0x02, 0x83, 0x00, 0x00], # GET PROCESSING + [0x00, 0xb2, 0x01, 0x0c, 0x00] # SFI +] + +print('Testing code: bluetooth has to be connected with the right rfcomm port!') +print('Waiting for data...') +initd = ser.read(1) + +bufferlen = pd(initd)[0] +rping = ser.read(bufferlen) + +ping = pd(rping) +if (len(ping) == 7): + print('UID:'), + print(toHexString(ping[:4])) + print('ATQA:'), + print(toHexString(ping[4:-1])) + print('SAK:'), + print(toHexString(ping[-1:])) +elif (len(ping) == 10): + print('UID:'), + print(toHexString(ping[:7])) + print('ATQA:'), + print(toHexString(ping[7:-1])) + print('SAK:'), + print(toHexString(ping[-1:])) +else: + print('got ping, no sure what it means: '), + print(ping) + +for x in apdu: + print('Sending cmd: '), + ser.write(x) + print(toHexString(x)) + + lenpk = ser.read(1) #first byte is the buffer length + bufferlen = pd(lenpk)[0] + + buffer = pd(ser.read(bufferlen)) + print('Card Response:'), + print(toHexString(buffer)) + print('--') + +ser.write(b'1') #tell Proxmark3 that we finish the communication +ser.close()