[proxmark3-svn] / client / scripts / tnp3clone.lua

local cmds = require('commands')
local getopt = require('getopt')
local lib14a = require('read14a')
local utils = require('utils')
local pre = require('precalc')
local toys = require('default_toys')

local lsh = bit32.lshift
local rsh = bit32.rshift
local bor = bit32.bor
local band = bit32.band

example =[[
	script run tnp3clone
	script run tnp3clone -h
	script run tnp3clone -t aa00 -s 0030

]]
author = "Iceman"
usage = "script run tnp3clone -t <toytype> -s <subtype>"
desc =[[
This script will try making a barebone clone of a tnp3 tag on to a magic generation1 card.

Arguments:
	-h             : this help
	-t <data>      : toytype id, 4hex symbols.
	-s <data>      : subtype id, 4hex symbols		
]]


-- This is only meant to be used when errors occur
function oops(err)
	print("ERROR: ",err)
end
-- Usage help
function help()
	print(desc)
	print("Example usage")
	print(example)
end

local function waitCmd()
	local response = core.WaitForResponseTimeout(cmds.CMD_ACK,2000)
	if response then
		local count,cmd,arg0 = bin.unpack('LL',response)
		if(arg0==1) then
			local count,arg1,arg2,data = bin.unpack('LLH511',response,count)
			return data:sub(1,32)
		else
			return nil, "Couldn't read block." 
		end
	end
	return nil, "No response from device"
end

local function readblock( blocknum, keyA )
	-- Read block 0
	cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = blocknum, arg2 = 0, arg3 = 0, data = keyA}
	err = core.SendCommand(cmd:getBytes())
	if err then return nil, err end
	local block0, err = waitCmd()
	if err then return nil, err end
	return block0
end
local function readmagicblock( blocknum )
	-- Read block 0
	local CSETBLOCK_SINGLE_OPERATION = 0x1F
	cmd = Command:new{cmd = cmds.CMD_MIFARE_CGETBLOCK, arg1 = CSETBLOCK_SINGLE_OPERATION, arg2 = 0, arg3 = blocknum}
	err = core.SendCommand(cmd:getBytes())
	if err then return nil, err end
	local block0, err = waitCmd()
	if err then return nil, err end
	return block0
end

local function main(args)

	print( string.rep('--',20) )
	print( string.rep('--',20) )
	
	local numBlocks = 64
    local cset = 'hf mf csetbl '
	local csetuid = 'hf mf csetuid '
	local cget = 'hf mf cgetbl '
	local empty = '00000000000000000000000000000000'
	local AccAndKeyB = '7F078869000000000000'
	-- Defaults to Gusto
	local toytype = 'C201'
	local subtype = '0030'
	local DEBUG = true
	
	-- Arguments for the script
	for o, a in getopt.getopt(args, 'ht:s:') do
		if o == "h" then return help() end		
		if o == "t" then toytype = a end
		if o == "s" then subtype = a end
	end
	
	if #toytype ~= 4 then return oops('Wrong size - toytype. (4hex symbols)') end	
	if #subtype ~= 4 then return oops('Wrong size - subtype. (4hex symbols)') end	

	-- look up type, find & validate types
	local item = toys.Find( toytype, subtype)
	if item then
		print( (' Looking up input: Found %s - %s (%s)'):format(item[6],item[5], item[4]) )
	else
		print('Didn\'t find item type. If you are sure about it, report it in')
	end
	--15,16
	--13-14 

	
	-- find tag
	result, err = lib14a.read1443a(false)
	if not result then return oops(err)	end

	-- load keys
	local akeys  = pre.GetAll(result.uid)
	local  keyA = akeys:sub(1, 12 ) 

	local b0 = readblock(0,keyA)
	if not b0 then
		print('failed reading block with factorydefault key.  Trying chinese magic read.')
	    b0, err = readmagicblock(0)
		if not b0 then 
			oops(err) 
			return oops('failed reading block with chinese magic command.  quitting...')
		end
	end
	
	-- wipe card.
	local cmd  = (csetuid..'%s 0004 08 w'):format(result.uid)	
	core.console(cmd) 
	
	local b1 = toytype..'00000000000000000000'..subtype
	local calc = utils.Crc16(b0..b1)
	local calcEndian = bor(rsh(calc,8), lsh(band(calc, 0xff), 8))
	
	local cmd  = (cset..'1 %s%04x'):format( b1, calcEndian)	
	core.console(cmd) 
	
	local pos, key
	for blockNo = 2, numBlocks-1, 1 do
		pos = (math.floor( blockNo / 4 ) * 12)+1
		key = akeys:sub(pos, pos + 11 )
		if  blockNo%4 == 3 then
			cmd =  ('%s %d %s%s'):format(cset,blockNo,key,AccAndKeyB) 
			core.console(cmd)
		end		
	end 
	core.clearCommandBuffer()
end
main(args)
Commit	Line	Data
224ce36e	1	local cmds = require('commands')
	2	local getopt = require('getopt')
	3	local lib14a = require('read14a')
	4	local utils = require('utils')
	5	local pre = require('precalc')
411105e0	6	local toys = require('default_toys')
224ce36e	7
	8	local lsh = bit32.lshift
	9	local rsh = bit32.rshift
	10	local bor = bit32.bor
	11	local band = bit32.band
	12
	13	example =[[
411105e0	14	script run tnp3clone
	15	script run tnp3clone -h
	16	script run tnp3clone -t aa00 -s 0030
224ce36e	17
	18	]]
	19	author = "Iceman"
411105e0	20	usage = "script run tnp3clone -t <toytype> -s <subtype>"
224ce36e	21	desc =[[
	22	This script will try making a barebone clone of a tnp3 tag on to a magic generation1 card.
	23
	24	Arguments:
	25	-h : this help
411105e0	26	-t <data> : toytype id, 4hex symbols.
411105e0	27	-s <data> : subtype id, 4hex symbols
224ce36e	28	]]
	29
	30
	31	-- This is only meant to be used when errors occur
	32	function oops(err)
	33	print("ERROR: ",err)
	34	end
	35	-- Usage help
	36	function help()
	37	print(desc)
	38	print("Example usage")
	39	print(example)
	40	end
	41
	42	local function waitCmd()
	43	local response = core.WaitForResponseTimeout(cmds.CMD_ACK,2000)
	44	if response then
	45	local count,cmd,arg0 = bin.unpack('LL',response)
	46	if(arg0==1) then
	47	local count,arg1,arg2,data = bin.unpack('LLH511',response,count)
	48	return data:sub(1,32)
	49	else
	50	return nil, "Couldn't read block."
	51	end
	52	end
	53	return nil, "No response from device"
	54	end
	55
	56	local function readblock( blocknum, keyA )
	57	-- Read block 0
	58	cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = blocknum, arg2 = 0, arg3 = 0, data = keyA}
	59	err = core.SendCommand(cmd:getBytes())
	60	if err then return nil, err end
	61	local block0, err = waitCmd()
	62	if err then return nil, err end
	63	return block0
	64	end
	65	local function readmagicblock( blocknum )
	66	-- Read block 0
	67	local CSETBLOCK_SINGLE_OPERATION = 0x1F
	68	cmd = Command:new{cmd = cmds.CMD_MIFARE_CGETBLOCK, arg1 = CSETBLOCK_SINGLE_OPERATION, arg2 = 0, arg3 = blocknum}
	69	err = core.SendCommand(cmd:getBytes())
	70	if err then return nil, err end
	71	local block0, err = waitCmd()
	72	if err then return nil, err end
	73	return block0
	74	end
	75
	76	local function main(args)
	77
411105e0	78	print( string.rep('--',20) )
	79	print( string.rep('--',20) )
	80
224ce36e	81	local numBlocks = 64
224ce36e	82	local cset = 'hf mf csetbl '
411105e0	83	local csetuid = 'hf mf csetuid '
224ce36e	84	local cget = 'hf mf cgetbl '
	85	local empty = '00000000000000000000000000000000'
	86	local AccAndKeyB = '7F078869000000000000'
	87	-- Defaults to Gusto
	88	local toytype = 'C201'
411105e0	89	local subtype = '0030'
411105e0	90	local DEBUG = true
224ce36e	91
224ce36e	92	-- Arguments for the script
411105e0	93	for o, a in getopt.getopt(args, 'ht:s:') do
224ce36e	94	if o == "h" then return help() end
224ce36e	95	if o == "t" then toytype = a end
411105e0	96	if o == "s" then subtype = a end
224ce36e	97	end
224ce36e	98
411105e0	99	if #toytype ~= 4 then return oops('Wrong size - toytype. (4hex symbols)') end
	100	if #subtype ~= 4 then return oops('Wrong size - subtype. (4hex symbols)') end
	101
	102	-- look up type, find & validate types
	103	local item = toys.Find( toytype, subtype)
	104	if item then
	105	print( (' Looking up input: Found %s - %s (%s)'):format(item[6],item[5], item[4]) )
	106	else
	107	print('Didn\'t find item type. If you are sure about it, report it in')
	108	end
	109	--15,16
	110	--13-14
	111
224ce36e	112
	113	-- find tag
	114	result, err = lib14a.read1443a(false)
	115	if not result then return oops(err) end
	116
224ce36e	117	-- load keys
	118	local akeys = pre.GetAll(result.uid)
	119	local keyA = akeys:sub(1, 12 )
	120
	121	local b0 = readblock(0,keyA)
	122	if not b0 then
	123	print('failed reading block with factorydefault key. Trying chinese magic read.')
	124	b0, err = readmagicblock(0)
	125	if not b0 then
	126	oops(err)
	127	return oops('failed reading block with chinese magic command. quitting...')
	128	end
	129	end
	130
	131	-- wipe card.
411105e0	132	local cmd = (csetuid..'%s 0004 08 w'):format(result.uid)
224ce36e	133	core.console(cmd)
224ce36e	134
411105e0	135	local b1 = toytype..'00000000000000000000'..subtype
224ce36e	136	local calc = utils.Crc16(b0..b1)
	137	local calcEndian = bor(rsh(calc,8), lsh(band(calc, 0xff), 8))
	138
	139	local cmd = (cset..'1 %s%04x'):format( b1, calcEndian)
	140	core.console(cmd)
	141
	142	local pos, key
	143	for blockNo = 2, numBlocks-1, 1 do
	144	pos = (math.floor( blockNo / 4 ) * 12)+1
	145	key = akeys:sub(pos, pos + 11 )
	146	if blockNo%4 == 3 then
	147	cmd = ('%s %d %s%s'):format(cset,blockNo,key,AccAndKeyB)
	148	core.console(cmd)
	149	end
	150	end
	151	core.clearCommandBuffer()
	152	end
	153	main(args)