local cmds = require('commands') local getopt = require('getopt') local bin = require('bin') local lib14a = require('read14a') local utils = require('utils') local md5 = require('md5') example =[[ 1. script run tnp3 2. script run tnp3 -k aabbccddeeff ]] author = "Iceman" usage = "script run tnp3 -k " desc =[[ This script will try to dump the contents of a Mifare TNP3xxx card. It will need a valid KeyA in order to find the other keys and decode the card. Arguments: -h - this help -k - Sector 0 Key A. ]] local hashconstant = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20' local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds local DEBUG = true -- the debug flag local numBlocks = 64 local numSectors = 16 --- -- A debug printout-function function dbg(args) if not DEBUG then return end if type(args) == "table" then local i = 1 while result[i] do dbg(result[i]) i = i+1 end else print("###", args) end end --- -- This is only meant to be used when errors occur function oops(err) print("ERROR: ",err) end --- -- Usage help function help() print(desc) print("Example usage") print(example) end -- -- Exit message function ExitMsg(msg) print( string.rep('--',20) ) print( string.rep('--',20) ) print(msg) print() end local function show(data) if DEBUG then local formatString = ("H%d"):format(string.len(data)) local _,hexdata = bin.unpack(formatString, data) dbg("Hexdata" , hexdata) end end local function readdumpkeys(infile) t = infile:read("*all") len = string.len(t) local len,hex = bin.unpack(("H%d"):format(len),t) --print(len,hex) return hex end local function waitCmd() local response = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT) if response then local count,cmd,arg0 = bin.unpack('LL',response) if(arg0==1) then local count,arg1,arg2,data = bin.unpack('LLH511',response,count) return data:sub(1,32) else return nil, "Couldn't read block.." end end return nil, "No response from device" end local function main(args) print( string.rep('--',20) ) print( string.rep('--',20) ) print() local keyA local cmd local err local cmdReadBlockString = 'hf mf rdbl %d A %s' local input = "dumpkeys.bin" -- Arguments for the script for o, a in getopt.getopt(args, 'hk:') do if o == "h" then return help() end if o == "k" then keyA = a end end -- validate input args. keyA = keyA or '4b0b20107ccb' if #(keyA) ~= 12 then return oops( string.format('Wrong length of write key (was %d) expected 12', #keyA)) end result, err = lib14a.read1443a(false) if not result then print(err) return end print((' Found tag : %s'):format(result.name)) core.clearCommandBuffer() if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx print('This is not a TNP3xxx tag. aborting.') return end -- Show info print(('Using keyA : %s'):format(keyA)) print( string.rep('--',20) ) print('Trying to find other keys. ') --core.console( ('hf mf nested 1 0 A %s d'):format(keyA) ) -- Reading found keys file local infile = io.open(input, "rb") if infile == nil then return oops('Could not read file ', input) end local akeys = readdumpkeys(infile):sub(0,12*16) --print( ('KEYS: %s'):format(akeys)) print('Reading data need to dump data') -- Read block 0 cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 0,arg2 = 0,arg3 = 0, data = keyA} err = core.SendCommand(cmd:getBytes()) if err then return oops(err) end local block0, err = waitCmd() if err then return oops(err) end -- Read block 1 cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 1,arg2 = 0,arg3 = 0, data = keyA} local err = core.SendCommand(cmd:getBytes()) if err then return oops(err) end local block1, err = waitCmd() if err then return oops(err) end print('Dumping data') -- main loop print('BLOCK MD5 DECRYPTED ASCII' ) local key local keyPosStart = 0 local block for block = 0, numBlocks-1, 1 do local b = (block+1)%4 if b ~= 0 then keyPosStart = (math.floor( block / 4 ) * 12)+1 key = akeys:sub(keyPosStart, keyPosStart + 12 ) --print( ('%02d %s'):format(block, key)) cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = block ,arg2 = 0,arg3 = 0, data = key} local err = core.SendCommand(cmd:getBytes()) if err then return oops(err) end local blockdata, err = waitCmd() if err then return oops(err) end local base = ('%s%s%02d%s'):format(block0, block1, block, hashconstant) local md5hash = md5.sumhexa(base) local aestest = core.aes(md5hash, blockdata) local _,hex = bin.unpack(("H%d"):format(16),aestest) local hexascii = string.gsub(hex, '(%x%x)', function(value) return string.char(tonumber(value, 16)) end ) print( ('%02d :: %s :: %s :: %s :: %s'):format(block,key,md5hash,hex,hexascii) ) if core.ukbhit() then print("aborted by user") break end end end end main(args)