diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f75478e7..afe7f7fe4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Added luascript `hf_mfu_ntag` - Script for configuring NTAG216 configuration pages (@flamebarke) - Changed `hf mf hardnested` - a detection for static encrypted nonces (@iceman1001) - Added requirements.txt file to tools folder. Minimum to run pm3_tests.sh (@iceman1001) - Changed `hf mf hardnested` - now can detect and use MFC EV1 signature sector key (@iceman1001) diff --git a/client/luascripts/hf_mfu_ntag.lua b/client/luascripts/hf_mfu_ntag.lua new file mode 100644 index 000000000..0709fc9f8 --- /dev/null +++ b/client/luascripts/hf_mfu_ntag.lua @@ -0,0 +1,171 @@ +local getopt = require('getopt') +local ansicolors = require('ansicolors') + +copyright = '' +author = 'Shain Lakin' +version = 'v1.0.0' +desc =[[ + +This script modifies the DT NeXT implant (NTAG216) configuration pages. + +- NeXT Defaults - + +Default hf mfu info: +---------------------------------------------------------------------- +[=] --- Tag Configuration +[=] cfg0 [227/0xE3]: 04 00 00 E3 +[=] - strong modulation mode disabled +[=] - page 227 and above need authentication +[=] cfg1 [228/0xE4]: 00 05 00 00 +[=] - Unlimited password attempts +[=] - NFC counter disabled +[=] - NFC counter not protected +[=] - user configuration writeable +[=] - write access is protected with password +[=] - 05, Virtual Card Type Identifier is default +[=] PWD [229/0xE5]: 00 00 00 00 - (cannot be read) +[=] PACK [230/0xE6]: 00 00 - (cannot be read) +[=] RFU [230/0xE6]: 00 00 - (cannot be read) +---------------------------------------------------------------------- + +Default blocks 0xE0 to 0xE6: +------------------------------------- +[=] 224/0xE0 | 00 00 00 00 | 0 | .... +[=] 225/0xE1 | 4E 45 78 54 | 0 | NExT +[=] 226/0xE2 | 00 00 7F BD | 0 | .... +[=] 227/0xE3 | 04 00 00 E3 | 0 | .... +[=] 228/0xE4 | 00 05 00 00 | 0 | .... +[=] 229/0xE5 | 44 4E 47 52 | 0 | DNGR +[=] 230/0xE6 | 00 00 00 00 | 0 | .... +------------------------------------- +]] + +example =[[ + +Set a new password of SUDO using the default password of DNGR: + + script run hf_mfu_next -x pass -p DNGR -n SUDO + +Enable password protection from hex block 04 onwards (User memory): + + script run hf_mfu_next -x protect -p DNGR -a 04 + +Enable password protection from hex block E3 onwards (Configuration Pages): + + script run hf_mfu_next -x protect -p DNGR -a E3 + +Disable password protection: + + script run hf_mfu_next -x protect -p DNGR -a FF + +Enable the counter and enable read + write password protection on password protected pages +(protected block start page specified using -x protect mode): + + script run hf_mfu_next -x conf -p DNGR -c enable -m rw + +Disable the counter and enable write only password protection on password protected pages +(protected block start specified using -x protect mode): + + script run hf_mfu_next -x conf -p DNGR -c disable -m w + +]] +usage = [[ + + script run hf_mfu_next -x pass -p <password> -n <new_password> + script run hf_mfu_next -x protect -p <password> -a <auth0_block> + script run hf_mfu_next -x conf -p <password> -c <enable/disable> -m <r/rw> + +]] +arguments = [[ + -h this help + -x mode (pass, protect, conf) + -p password (ascii) + -n new password (ascii) + -a auth0 block (hex) + -c counter (enable/disable) + -m protection mode (r/rw) +]] +--- +--- Usage help +local function help() + print(copyright) + print(author) + print(version) + print(desc) + print(ansicolors.cyan..'Usage'..ansicolors.reset) + print(usage) + print(ansicolors.cyan..'Arguments'..ansicolors.reset) + print(arguments) + print(ansicolors.cyan..'Example usage'..ansicolors.reset) + print(example) +end +--- +--- Print user message +local function msg(msg) + print( string.rep('--',20) ) + print('') + print(msg) + print('') + print( string.rep('--',20) ) +end +--- +--- String to hex function +local function strhex(str) + return (str:gsub(".", function(char) return string.format("%2x", char:byte()) end)) + end +--- +-- Main +local function main(args) + + for o, a in getopt.getopt(args, 'b:m:c:a:p:x:n:h') do + if o == 'm' then prot_mode = a end + if o == 'c' then counter = a end + if o == 'a' then auth0_block = a end + if o == 'p' then passwd = strhex(a) end + if o == 'x' then mode = a end + if o == 'n' then new_pass = strhex(a) end + if o == 'h' then return help() end + end + + if mode == 'pass' then + command = 'hf mfu wrbl -b 229 -d '..new_pass..' -k '..passwd + msg('Writing '..new_pass..' to PASSWD block (229/0xE5) : \n\n'..command) + core.console(command) + command = 'hf mfu rdbl -b 0 -k '..new_pass..'' + msg('Verifying password is correctly set : \n\n'..command) + core.console(command) + elseif mode == 'conf' then + if counter == 'enable' then + if prot_mode == 'r' then + command = 'hf mfu wrbl -b 228 -d 10050000 -k '..passwd + msg('Enabling counter and setting write access to protected pages as password protected : \n\n'..command) + core.console(command) + elseif prot_mode == 'rw' then + command = 'hf mfu wrbl -b 228 -d 90050000 -k '..passwd + msg('Enabling counter and setting read/write access to protected pages as password protected : \n\n'..command) + core.console(command) + end + elseif counter == 'disable' then + if prot_mode == 'w' then + command = 'hf mfu wrbl -b 228 -d 00050000 -k '..passwd + msg('Disabling counter and setting write password protection on protected pages : \n\n'..command) + core.console(command) + elseif prot_mode == 'rw' then + command = 'hf mfu wrbl -b 228 -d 80050000 -k '..passwd + msg('Disabling counter and setting read/write password protection on protected pages : \n\n'..command) + core.console(command) + end + end + elseif mode == 'protect' then + command = 'hf mfu wrbl -k '..passwd..' -b 227 -d 040000'..auth0_block + msg('Enabling password protection from block '..auth0_block..' onwards : \n\n'..command) + core.console(command) + else + return print(usage) + end + + if command == '' then return print(usage) end + + +end +main(args)