Merge pull request #1813 from flamebarke/master

hf_mfu_next.lua - new script for quickly modifying the DT NeXT/xNT implant (NTAG216)
2025-03-16 18:13:13 +08:00 · 2022-11-16 09:05:02 +01:00 · 2022-11-16 09:05:02 +01:00 · de2e1bf8aa
commit de2e1bf8aa
parent 6c163fa262 789e338c4f
2 changed files with 172 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...

 ## [unreleased][unreleased]
+ - Added luascript `hf_mfu_ntag` - Script for configuring NTAG216 configuration pages (@flamebarke)
 - Changed `hf mf hardnested` - a detection for static encrypted nonces (@iceman1001)
 - Added requirements.txt file to tools folder. Minimum to run pm3_tests.sh (@iceman1001)
 - Changed `hf mf hardnested` - now can detect and use MFC EV1 signature sector key (@iceman1001)
--- a/client/luascripts/hf_mfu_ntag.lua
+++ b/client/luascripts/hf_mfu_ntag.lua
@ -0,0 +1,171 @@
+local getopt = require('getopt')
+local ansicolors  = require('ansicolors')
+
+copyright = ''
+author = 'Shain Lakin'
+version = 'v1.0.0'
+desc =[[
+
+This script modifies the DT NeXT implant (NTAG216) configuration pages.
+
+- NeXT Defaults -
+
+Default hf mfu info:
+----------------------------------------------------------------------
+[=] --- Tag Configuration
+[=]   cfg0 [227/0xE3]: 04 00 00 E3
+[=]                     - strong modulation mode disabled
+[=]                     - page 227 and above need authentication
+[=]   cfg1 [228/0xE4]: 00 05 00 00
+[=]                     - Unlimited password attempts
+[=]                     - NFC counter disabled
+[=]                     - NFC counter not protected
+[=]                     - user configuration writeable
+[=]                     - write access is protected with password
+[=]                     - 05, Virtual Card Type Identifier is default
+[=]   PWD  [229/0xE5]: 00 00 00 00 - (cannot be read)
+[=]   PACK [230/0xE6]: 00 00       - (cannot be read)
+[=]   RFU  [230/0xE6]:       00 00 - (cannot be read)
+----------------------------------------------------------------------
+  
+Default blocks 0xE0 to 0xE6:
+-------------------------------------
+[=] 224/0xE0 | 00 00 00 00 | 0 | ....
+[=] 225/0xE1 | 4E 45 78 54 | 0 | NExT
+[=] 226/0xE2 | 00 00 7F BD | 0 | ....
+[=] 227/0xE3 | 04 00 00 E3 | 0 | ....
+[=] 228/0xE4 | 00 05 00 00 | 0 | ....
+[=] 229/0xE5 | 44 4E 47 52 | 0 | DNGR
+[=] 230/0xE6 | 00 00 00 00 | 0 | ....
+-------------------------------------
+]]
+
+example =[[
+
+Set a new password of SUDO using the default password of DNGR:
+
+    script run hf_mfu_next -x pass -p DNGR -n SUDO
+
+Enable password protection from hex block 04 onwards (User memory):
+
+    script run hf_mfu_next -x protect -p DNGR -a 04 
+
+Enable password protection from hex block E3 onwards (Configuration Pages):
+
+    script run hf_mfu_next -x protect -p DNGR -a E3
+
+Disable password protection:
+
+    script run hf_mfu_next -x protect -p DNGR -a FF
+
+Enable the counter and enable read + write password protection on password protected pages 
+(protected block start page specified using -x protect mode):
+
+    script run hf_mfu_next -x conf -p DNGR -c enable -m rw
+
+Disable the counter and enable write only password protection on password protected pages
+(protected block start specified using -x protect mode):
+
+    script run hf_mfu_next -x conf -p DNGR -c disable -m w
+
+]]
+usage = [[
+
+    script run hf_mfu_next -x pass -p <password> -n <new_password>
+    script run hf_mfu_next -x protect -p <password> -a <auth0_block>
+    script run hf_mfu_next -x conf -p <password> -c <enable/disable> -m <r/rw>
+
+]]
+arguments = [[
+    -h      this help
+    -x      mode (pass, protect, conf)
+    -p      password (ascii)
+    -n      new password (ascii)
+    -a      auth0 block (hex)
+    -c      counter (enable/disable)
+    -m      protection mode (r/rw)
+]]
+---
+--- Usage help
+local function help()
+    print(copyright)
+    print(author)
+    print(version)
+    print(desc)
+    print(ansicolors.cyan..'Usage'..ansicolors.reset)
+    print(usage)
+    print(ansicolors.cyan..'Arguments'..ansicolors.reset)
+    print(arguments)
+    print(ansicolors.cyan..'Example usage'..ansicolors.reset)
+    print(example)
+end
+---
+--- Print user message
+local function msg(msg)
+ print( string.rep('--',20) )
+ print('')
+ print(msg)
+ print('')
+ print( string.rep('--',20) )
+end
+---
+--- String to hex function
+local function strhex(str)
+    return (str:gsub(".", function(char) return string.format("%2x", char:byte()) end))
+ end
+---
+-- Main
+local function main(args)
+
+    for o, a in getopt.getopt(args, 'b:m:c:a:p:x:n:h') do
+        if o == 'm' then prot_mode = a end
+        if o == 'c' then counter = a end
+        if o == 'a' then auth0_block = a end
+        if o == 'p' then passwd = strhex(a) end
+        if o == 'x' then mode = a end
+        if o == 'n' then new_pass = strhex(a) end
+        if o == 'h' then return help() end
+    end
+
+    if mode == 'pass' then
+        command = 'hf mfu wrbl -b 229 -d '..new_pass..' -k '..passwd
+        msg('Writing '..new_pass..' to PASSWD block (229/0xE5) : \n\n'..command)
+        core.console(command)
+        command = 'hf mfu rdbl -b 0 -k '..new_pass..''
+        msg('Verifying password is correctly set : \n\n'..command)
+        core.console(command)
+    elseif mode == 'conf' then
+        if counter == 'enable' then
+            if prot_mode == 'r' then
+                command = 'hf mfu wrbl -b 228 -d 10050000 -k '..passwd
+                msg('Enabling counter and setting write access to protected pages as password protected : \n\n'..command)
+                core.console(command)
+            elseif prot_mode == 'rw' then
+                command = 'hf mfu wrbl -b 228 -d 90050000 -k '..passwd
+                msg('Enabling counter and setting read/write access to protected pages as password protected : \n\n'..command)
+                core.console(command)
+            end
+        elseif counter == 'disable' then
+            if prot_mode == 'w' then
+                command = 'hf mfu wrbl -b 228 -d 00050000 -k '..passwd
+                msg('Disabling counter and setting write password protection on protected pages : \n\n'..command)
+                core.console(command)
+            elseif prot_mode == 'rw' then
+                command = 'hf mfu wrbl -b 228 -d 80050000 -k '..passwd
+                msg('Disabling counter and setting read/write password protection on protected pages : \n\n'..command)
+                core.console(command)
+            end        
+        end
+    elseif mode == 'protect' then
+        command = 'hf mfu wrbl -k '..passwd..' -b 227 -d 040000'..auth0_block
+        msg('Enabling password protection from block '..auth0_block..' onwards : \n\n'..command)
+        core.console(command)
+    else
+        return print(usage)
+    end
+
+    if command == '' then return print(usage) end
+
+
+end
+main(args)