FIX: tnp3.lua is more or less finished. Needs testing.
void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
{
int i = 0;
void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
{
int i = 0;
- uint8_t *buff = (uint8_t *)BigBuf;
+ uint8_t *buf = (uint8_t *)BigBuf;
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
//#define LOW(x) AT91C_BASE_PIOA->PIO_CODR = (x)
//#define HIGH(x) AT91C_BASE_PIOA->PIO_SODR = (x)
//#define LOW(x) AT91C_BASE_PIOA->PIO_CODR = (x)
//#define HIGH(x) AT91C_BASE_PIOA->PIO_SODR = (x)
HIGH(GPIO_SSC_DOUT);
//FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
//FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
HIGH(GPIO_SSC_DOUT);
//FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
//FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
\r
core.clearCommandBuffer()\r
\r
\r
core.clearCommandBuffer()\r
\r
- if 0x18 == result.sak then --NXP MIFARE Classic 4k | Plus 4k\r
+ if 0x18 == result.sak then -- NXP MIFARE Classic 4k | Plus 4k\r
-- IFARE Classic 4K offers 4096 bytes split into forty sectors, \r
-- of which 32 are same size as in the 1K with eight more that are quadruple size sectors. \r
numSectors = 40\r
-- IFARE Classic 4K offers 4096 bytes split into forty sectors, \r
-- of which 32 are same size as in the 1K with eight more that are quadruple size sectors. \r
numSectors = 40\r
- elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k | Plus 2k\r
+ elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k | Plus 2k\r
-- 1K offers 1024 bytes of data storage, split into 16 sector\r
numSectors = 16\r
-- 1K offers 1024 bytes of data storage, split into 16 sector\r
numSectors = 16\r
- elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k\r
+ elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k\r
-- MIFARE Classic mini offers 320 bytes split into five sectors.\r
numSectors = 5\r
-- MIFARE Classic mini offers 320 bytes split into five sectors.\r
numSectors = 5\r
- elseif 0x10 == result.sak then-- "NXP MIFARE Plus 2k"\r
+ elseif 0x10 == result.sak then -- NXP MIFARE Plus 2k\r
+ elseif 0x01 == sak then -- NXP MIFARE TNP3xxx 1K\r
+ numSectors = 16\r
else\r
print("I don't know how many sectors there are on this type of card, defaulting to 16")\r
end \r
else\r
print("I don't know how many sectors there are on this type of card, defaulting to 16")\r
end \r
example =[[
1. script run tnp3
example =[[
1. script run tnp3
- 2. script run tnp3 -k aabbccddeeff
+ 2. script run tnp3 -n
+ 3. script run tnp3 -k aabbccddeeff
+ 4. script run tnp3 -k aabbccddeeff -n
-usage = "script run tnp3 -k <key>"
+usage = "script run tnp3 -k <key> -n"
desc =[[
This script will try to dump the contents of a Mifare TNP3xxx card.
It will need a valid KeyA in order to find the other keys and decode the card.
Arguments:
desc =[[
This script will try to dump the contents of a Mifare TNP3xxx card.
It will need a valid KeyA in order to find the other keys and decode the card.
Arguments:
- -h - this help
- -k <key> - Sector 0 Key A.
+ -h : this help
+ -k <key> : Sector 0 Key A.
+ -n : Use the nested cmd to find all keys
+-- AES konstant? LEN 0x24 36,
+-- I dekompilen är det för internal static array = 0x36 54
local hashconstant = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20'
local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds
local hashconstant = '20436F707972696768742028432920323031302041637469766973696F6E2E20416C6C205269676874732052657365727665642E20'
local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds
-local function show(data)
- if DEBUG then
- local formatString = ("H%d"):format(string.len(data))
- local _,hexdata = bin.unpack(formatString, data)
- dbg("Hexdata" , hexdata)
- end
-end
-
local function readdumpkeys(infile)
t = infile:read("*all")
len = string.len(t)
local len,hex = bin.unpack(("H%d"):format(len),t)
local function readdumpkeys(infile)
t = infile:read("*all")
len = string.len(t)
local len,hex = bin.unpack(("H%d"):format(len),t)
local keyA
local cmd
local err
local keyA
local cmd
local err
+ local useNested = false
local cmdReadBlockString = 'hf mf rdbl %d A %s'
local input = "dumpkeys.bin"
-- Arguments for the script
local cmdReadBlockString = 'hf mf rdbl %d A %s'
local input = "dumpkeys.bin"
-- Arguments for the script
- for o, a in getopt.getopt(args, 'hk:') do
+ for o, a in getopt.getopt(args, 'hk:n') do
if o == "h" then return help() end
if o == "k" then keyA = a end
if o == "h" then return help() end
if o == "k" then keyA = a end
+ if o == "n" then useNested = true end
end
-- validate input args.
end
-- validate input args.
result, err = lib14a.read1443a(false)
if not result then
result, err = lib14a.read1443a(false)
if not result then
print((' Found tag : %s'):format(result.name))
core.clearCommandBuffer()
if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
print((' Found tag : %s'):format(result.name))
core.clearCommandBuffer()
if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
- print('This is not a TNP3xxx tag. aborting.')
- return
+ return oops('This is not a TNP3xxx tag. aborting.')
end
-- Show info
print(('Using keyA : %s'):format(keyA))
print( string.rep('--',20) )
end
-- Show info
print(('Using keyA : %s'):format(keyA))
print( string.rep('--',20) )
- print('Trying to find other keys. ')
- --core.console( ('hf mf nested 1 0 A %s d'):format(keyA) )
+ print('Trying to find other keys.')
+ if useNested then
+ core.console( ('hf mf nested 1 0 A %s d'):format(keyA) )
+ end
- -- Reading found keys file
local infile = io.open(input, "rb")
if infile == nil then
return oops('Could not read file ', input)
end
local akeys = readdumpkeys(infile):sub(0,12*16)
local infile = io.open(input, "rb")
if infile == nil then
return oops('Could not read file ', input)
end
local akeys = readdumpkeys(infile):sub(0,12*16)
- --print( ('KEYS: %s'):format(akeys))
-
- print('Reading data need to dump data')
-
-- Read block 0
cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 0,arg2 = 0,arg3 = 0, data = keyA}
err = core.SendCommand(cmd:getBytes())
-- Read block 0
cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 0,arg2 = 0,arg3 = 0, data = keyA}
err = core.SendCommand(cmd:getBytes())
-- Read block 1
cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 1,arg2 = 0,arg3 = 0, data = keyA}
-- Read block 1
cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 1,arg2 = 0,arg3 = 0, data = keyA}
- local err = core.SendCommand(cmd:getBytes())
+ err = core.SendCommand(cmd:getBytes())
if err then return oops(err) end
local block1, err = waitCmd()
if err then return oops(err) end
if err then return oops(err) end
local block1, err = waitCmd()
if err then return oops(err) end
+ local key
+ local pos = 0
+ local blockNo
+ local blocks = {}
- print('BLOCK MD5 DECRYPTED ASCII' )
-
- local key
- local keyPosStart = 0
- local block
- for block = 0, numBlocks-1, 1 do
- local b = (block+1)%4
- if b ~= 0 then
- keyPosStart = (math.floor( block / 4 ) * 12)+1
- key = akeys:sub(keyPosStart, keyPosStart + 12 )
- --print( ('%02d %s'):format(block, key))
-
- cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = block ,arg2 = 0,arg3 = 0, data = key}
+ for blockNo = 8, numBlocks-1, 1 do
+ local b = blockNo%4
+ if b ~= 3 then
+ pos = (math.floor( blockNo / 4 ) * 12)+1
+ key = akeys:sub(pos, pos + 12 )
+ cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = blockNo ,arg2 = 0,arg3 = 0, data = key}
local err = core.SendCommand(cmd:getBytes())
if err then return oops(err) end
local blockdata, err = waitCmd()
if err then return oops(err) end
local err = core.SendCommand(cmd:getBytes())
if err then return oops(err) end
local blockdata, err = waitCmd()
if err then return oops(err) end
- local base = ('%s%s%02d%s'):format(block0, block1, block, hashconstant)
+ local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant)
local md5hash = md5.sumhexa(base)
local aestest = core.aes(md5hash, blockdata)
local _,hex = bin.unpack(("H%d"):format(16),aestest)
local md5hash = md5.sumhexa(base)
local aestest = core.aes(md5hash, blockdata)
local _,hex = bin.unpack(("H%d"):format(16),aestest)
- local hexascii = string.gsub(hex, '(%x%x)',
- function(value)
- return string.char(tonumber(value, 16))
- end
- )
-
- print( ('%02d :: %s :: %s :: %s :: %s'):format(block,key,md5hash,hex,hexascii) )
+ -- local hexascii = string.gsub(hex, '(%x%x)',
+ -- function(value)
+ -- return string.char(tonumber(value, 16))
+ -- end
+ -- )
+
+ if string.find(blockdata, '^0+$') then
+ blocks[blockNo] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata)
+ else
+ --blocks[blockNo] = ('%02d :: %s :: %s :: %s '):format(blockNo,key,md5hash,hex)
+ blocks[blockNo] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata)
+ end
if core.ukbhit() then
print("aborted by user")
if core.ukbhit() then
print("aborted by user")
+
+ -- Print results
+ print('BLK :: DATA DECRYPTED' )
+ print( string.rep('--',36) )
+ for _,s in pairs(blocks) do
+ print( s )
+ end
end
main(args)
\ No newline at end of file
end
main(args)
\ No newline at end of file
projects / proxmark3-svn / commitdiff