example =[[
1. script run tnp3
- 2. script run tnp3 -k aabbccddeeff
+ 2. script run tnp3 -n
+ 3. script run tnp3 -k aabbccddeeff
+ 4. script run tnp3 -k aabbccddeeff -n
]]
author = "Iceman"
-usage = "script run tnp3 -k <key>"
+usage = "script run tnp3 -k <key> -n"
desc =[[
This script will try to dump the contents of a Mifare TNP3xxx card.
It will need a valid KeyA in order to find the other keys and decode the card.
Arguments:
- -h - this help
- -k <key> - Sector 0 Key A.
+ -h : this help
+ -k <key> : Sector 0 Key A.
+ -n : Use the nested cmd to find all keys
]]
+-- AES konstant? LEN 0x24 36,
+-- I dekompilen är det för internal static array = 0x36 54
local hashconstant = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20'
local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds
print()
end
-local function show(data)
- if DEBUG then
- local formatString = ("H%d"):format(string.len(data))
- local _,hexdata = bin.unpack(formatString, data)
- dbg("Hexdata" , hexdata)
- end
+local function readdumpkeys(infile)
+ t = infile:read("*all")
+ len = string.len(t)
+ local len,hex = bin.unpack(("H%d"):format(len),t)
+ return hex
end
-function waitCmd()
+local function waitCmd()
local response = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT)
if response then
local count,cmd,arg0 = bin.unpack('LL',response)
local keyA
local cmd
local err
+ local useNested = false
local cmdReadBlockString = 'hf mf rdbl %d A %s'
+ local input = "dumpkeys.bin"
-- Arguments for the script
- for o, a in getopt.getopt(args, 'hk:') do
+ for o, a in getopt.getopt(args, 'hk:n') do
if o == "h" then return help() end
if o == "k" then keyA = a end
+ if o == "n" then useNested = true end
end
-- validate input args.
result, err = lib14a.read1443a(false)
if not result then
- print(err)
- return
+ return oops(err)
end
- print((" Found tag : %s"):format(result.name))
+
+ print((' Found tag : %s'):format(result.name))
core.clearCommandBuffer()
if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
- print("This is not a TNP3xxx tag. aborting.")
- return
+ return oops('This is not a TNP3xxx tag. aborting.')
end
-- Show info
print(('Using keyA : %s'):format(keyA))
print( string.rep('--',20) )
- local cmdNestedString = 'hf mf nested 1 0 A %s d'
- local cmdDumpString = 'hf mf dump'
- --core.console(cmdNestedString.format(keyA) )
- --core.console(cmdDumpString)
-
- print('Reading data need to dump data')
+ print('Trying to find other keys.')
+ if useNested then
+ core.console( ('hf mf nested 1 0 A %s d'):format(keyA) )
+ end
+ -- Loading keyfile
+ local infile = io.open(input, "rb")
+ if infile == nil then
+ return oops('Could not read file ', input)
+ end
+ local akeys = readdumpkeys(infile):sub(0,12*16)
+
-- Read block 0
cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 0,arg2 = 0,arg3 = 0, data = keyA}
err = core.SendCommand(cmd:getBytes())
-- Read block 1
cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 1,arg2 = 0,arg3 = 0, data = keyA}
- local err = core.SendCommand(cmd:getBytes())
+ err = core.SendCommand(cmd:getBytes())
if err then return oops(err) end
local block1, err = waitCmd()
if err then return oops(err) end
+ local key
+ local pos = 0
+ local blockNo
+ local blocks = {}
- -- Read block 9
- cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 9,arg2 = 0,arg3 = 0, data = '56f6313550f9'}
- local err = core.SendCommand(cmd:getBytes())
- if err then return oops(err) end
- local block9, err = waitCmd()
- if err then return oops(err) end
-
-- main loop
- print('BLOCK MD5 DECRYPTED ASCII' )
-
- for block=0,numBlocks-1,1 do
+ for blockNo = 8, numBlocks-1, 1 do
+ local b = blockNo%4
+ if b ~= 3 then
+ pos = (math.floor( blockNo / 4 ) * 12)+1
+ key = akeys:sub(pos, pos + 12 )
+ cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = blockNo ,arg2 = 0,arg3 = 0, data = key}
+ local err = core.SendCommand(cmd:getBytes())
+ if err then return oops(err) end
+ local blockdata, err = waitCmd()
+ if err then return oops(err) end
- if math.fmod(block,4) then
-
- end
+ local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant)
+ local md5hash = md5.sumhexa(base)
+ local aestest = core.aes(md5hash, blockdata)
- local base = ('%s%s%02d%s'):format(block0, block1, block, hashconstant)
- local md5hash = md5.sumhexa(base)
- local aestest = core.aes(md5hash, block9 )
+ local _,hex = bin.unpack(("H%d"):format(16),aestest)
- local _,hex = bin.unpack(("H%d"):format(16),aestest)
-
-
- local hexascii = string.gsub(hex, '(%x%x)',
- function(value)
- return string.char(tonumber(value, 16))
- end
- )
+ -- local hexascii = string.gsub(hex, '(%x%x)',
+ -- function(value)
+ -- return string.char(tonumber(value, 16))
+ -- end
+ -- )
- print( block .. ' :: ' .. md5hash .. ' :: ' .. hex .. ' :: ' .. hexascii )
+ if string.find(blockdata, '^0+$') then
+ blocks[blockNo] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata)
+ else
+ --blocks[blockNo] = ('%02d :: %s :: %s :: %s '):format(blockNo,key,md5hash,hex)
+ blocks[blockNo] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata)
+ end
- -- if core.ukbhit() then
- -- print("aborted by user")
- -- break
- -- end
+ if core.ukbhit() then
+ print("aborted by user")
+ break
+ end
+ end
end
+
+ -- Print results
+ print('BLK :: DATA DECRYPTED' )
+ print( string.rep('--',36) )
+ for _,s in pairs(blocks) do
+ print( s )
+ end
end
main(args)
\ No newline at end of file
projects / proxmark3-svn / blobdiff