local cmds = require('commands') local getopt = require('getopt') local bin = require('bin') local lib14a = require('read14a') local utils = require('utils') local md5 = require('md5') example =[[ 1. script run tnp3 2. script run tnp3 -n 3. script run tnp3 -k aabbccddeeff 4. script run tnp3 -k aabbccddeeff -n ]] author = "Iceman" usage = "script run tnp3 -k -n" desc =[[ This script will try to dump the contents of a Mifare TNP3xxx card. It will need a valid KeyA in order to find the other keys and decode the card. Arguments: -h : this help -k : Sector 0 Key A. -n : Use the nested cmd to find all keys ]] -- AES konstant? LEN 0x24 36, -- I dekompilen är det för internal static array = 0x36 54 local hashconstant = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20' local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds local DEBUG = true -- the debug flag local numBlocks = 64 local numSectors = 16 --- -- A debug printout-function function dbg(args) if not DEBUG then return end if type(args) == "table" then local i = 1 while result[i] do dbg(result[i]) i = i+1 end else print("###", args) end end --- -- This is only meant to be used when errors occur function oops(err) print("ERROR: ",err) end --- -- Usage help function help() print(desc) print("Example usage") print(example) end -- -- Exit message function ExitMsg(msg) print( string.rep('--',20) ) print( string.rep('--',20) ) print(msg) print() end local function readdumpkeys(infile) t = infile:read("*all") len = string.len(t) local len,hex = bin.unpack(("H%d"):format(len),t) return hex end local function waitCmd() local response = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT) if response then local count,cmd,arg0 = bin.unpack('LL',response) if(arg0==1) then local count,arg1,arg2,data = bin.unpack('LLH511',response,count) return data:sub(1,32) else return nil, "Couldn't read block.." end end return nil, "No response from device" end local function main(args) print( string.rep('--',20) ) print( string.rep('--',20) ) print() local keyA local cmd local err local useNested = false local cmdReadBlockString = 'hf mf rdbl %d A %s' local input = "dumpkeys.bin" -- Arguments for the script for o, a in getopt.getopt(args, 'hk:n') do if o == "h" then return help() end if o == "k" then keyA = a end if o == "n" then useNested = true end end -- validate input args. keyA = keyA or '4b0b20107ccb' if #(keyA) ~= 12 then return oops( string.format('Wrong length of write key (was %d) expected 12', #keyA)) end result, err = lib14a.read1443a(false) if not result then return oops(err) end print((' Found tag : %s'):format(result.name)) core.clearCommandBuffer() if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx return oops('This is not a TNP3xxx tag. aborting.') end -- Show info print(('Using keyA : %s'):format(keyA)) print( string.rep('--',20) ) if useNested then print('Trying to find keys.') core.console( ('hf mf nested 1 0 A %s d'):format(keyA) ) end -- Loading keyfile print('Loading dumpkeys.bin') local infile = io.open(input, "rb") if infile == nil then return oops('Could not read file ', input) end local akeys = readdumpkeys(infile):sub(0,12*16) -- Read block 0 cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 0,arg2 = 0,arg3 = 0, data = keyA} err = core.SendCommand(cmd:getBytes()) if err then return oops(err) end local block0, err = waitCmd() if err then return oops(err) end -- Read block 1 cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 1,arg2 = 0,arg3 = 0, data = keyA} err = core.SendCommand(cmd:getBytes()) if err then return oops(err) end local block1, err = waitCmd() if err then return oops(err) end local key local pos = 0 local blockNo local blocks = {} -- main loop for blockNo = 0, numBlocks-1, 1 do if core.ukbhit() then print("aborted by user") break end pos = (math.floor( blockNo / 4 ) * 12)+1 key = akeys:sub(pos, pos + 12 ) cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = blockNo ,arg2 = 0,arg3 = 0, data = key} local err = core.SendCommand(cmd:getBytes()) if err then return oops(err) end local blockdata, err = waitCmd() if err then return oops(err) end local b = blockNo%4 if b ~= 3 then if blockNo < 8 then -- Block 0-7 not encrypted blocks[blockNo+1] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata) else local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant) local md5hash = md5.sumhexa(base) local aestest = core.aes(md5hash, blockdata) local _,hex = bin.unpack(("H%d"):format(16),aestest) -- local hexascii = string.gsub(hex, '(%x%x)', -- function(value) -- return string.char(tonumber(value, 16)) -- end -- ) if string.find(blockdata, '^0+$') then blocks[blockNo+1] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata) else --blocks[blockNo+1] = ('%02d :: %s :: %s :: %s '):format(blockNo,key,md5hash,hex) blocks[blockNo+1] = ('%02d :: %s :: %s'):format(blockNo,blockdata,hex) end end else -- Sectorblocks, not encrypted blocks[blockNo+1] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata) end end -- Print results print('BLK :: DATA DECRYPTED' ) print( string.rep('--',36) ) for _,s in pairs(blocks) do print( s ) end end main(args)