From 16b04cb291feefce8f76c6b05f93b62d304be1ed Mon Sep 17 00:00:00 2001
From: "martin.holst@gmail.com"
 <martin.holst@gmail.com@ef4ab9da-24cd-11de-8aaa-f3a34680c41f>
Date: Fri, 7 Jun 2013 09:26:56 +0000
Subject: [PATCH] mf check keys in lua-space

---
 client/mf_default_keys.lua | 153 +++++++++++++++++++++++++++++++++++++
 client/scripts/mfkeys.lua  | 143 ++++++++++++++++++++++++++++++++++
 2 files changed, 296 insertions(+)
 create mode 100644 client/mf_default_keys.lua
 create mode 100644 client/scripts/mfkeys.lua

diff --git a/client/mf_default_keys.lua b/client/mf_default_keys.lua
new file mode 100644
index 00000000..cb58397c
--- /dev/null
+++ b/client/mf_default_keys.lua
@@ -0,0 +1,153 @@
+
+    
+local _keys = {
+
+    --[[
+
+    These keys are from the pm3 c-codebase. 
+
+    --]]
+    'fffffffffff0', -- Default key (first key used by program if no user defined key)
+    '000000000000', -- Blank key
+    'a0a1a2a3a4a5', -- NFCForum MAD key
+    'b0b1b2b3b4b5',
+    'aabbccddeeff',
+    '4d3a99c351dd',
+    '1a982c7e459a',
+    'd3f7d3f7d3f7',
+    '714c5c886e97',
+    '587ee5f9350f',
+    'a0478cc39091',
+    '533cb6c723f6',
+    '8fd0a4f256e9',
+
+    
+    --[[
+    The data below is taken form the Slurp project, 
+    https://github.com/4ZM/slurp/blob/master/res/xml/mifare_default_keys.xml
+    released as GPLV3. 
+
+    --]]
+
+    '000000000000', -- Default key
+    'fffffffffff0', -- Default key
+    'b0b1b2b3b4b5', -- Key from mfoc
+    '4d3a99c351dd', -- Key from mfoc
+    '1a982c7e459a', -- Key from mfoc
+    'aabbccddeeff', -- Key from mfoc
+    '714c5c886e97', -- Key from mfoc
+    '587ee5f9350f', -- Key from mfoc
+    'a0478cc39091', -- Key from mfoc
+    '533cb6c723f6', -- Key from mfoc
+    '8fd0a4f256e9', -- Key from mfoc
+    -- Data from: http://pastebin.com/wcTHXLZZ
+    'a64598a77478', -- RKF SL Key A
+    '26940b21ff5d', -- RKF SL Key A
+    'fc00018778f7', -- RKF SL Key A
+    '00000ffe2488', -- RKF SL Key B
+    '5c598c9c58b5', -- RKF SL Key B
+    'e4d2770a89be', -- RKF SL Key B
+    -- Data from: http://pastebin.com/svGjN30Q
+    '434f4d4d4f41', -- RKF JOJO GROUP Key A
+    '434f4d4d4f42', -- RKF JOJO GROUP Key B
+    '47524f555041', -- RKF JOJO GROUP Key A
+    '47524f555042', -- RKF JOJO GROUP Key B
+    '505249564141', -- RKF JOJO PRIVA Key A
+    '505249564142', -- RKF JOJO PRIVA Key B
+    -- Data from: http://pastebin.com/d7sSetef
+    'fc00018778f7', -- RKF Rejskort Danmark Key A
+    '00000ffe2488', -- RKF Rejskort Danmark Key B
+    '0297927c0f77', -- RKF Rejskort Danmark Key A
+    'ee0042f88840', -- RKF Rejskort Danmark Key B
+    '722bfcc5375f', -- RKF Rejskort Danmark Key A
+    'f1d83f964314', -- RKF Rejskort Danmark Key B
+    -- Data from: http://pastebin.com/pvJX0xVS
+    '54726176656C', -- Transport Key A
+    '776974687573', -- Transport Key B
+    '4AF9D7ADEBE4', -- Directory and event log Key A
+    '2BA9621E0A36', -- Directory and event log Key B
+    -- Data from: http://pastebin.com/Dnnc5dFC
+    -- New cards are not encrypted (MF Ultralight)
+    'fc00018778f7', -- Västtrafiken Key A
+    '00000ffe2488', -- Västtrafiken Key B
+    '0297927c0f77', -- Västtrafiken Key A
+    'ee0042f88840', -- Västtrafiken Key B
+    '54726176656c', -- Västtrafiken Key A
+    '776974687573', -- Västtrafiken Key B
+    -- Data from: http://pastebin.com/y3PDBWR1
+    '000000000001',
+    'a0a1a2a3a4a5',
+    '123456789abc',
+    'b127c6f41436',
+    '12f2ee3478c1',
+    '34d1df9934c5',
+    '55f5a5dd38c9',
+    'f1a97341a9fc',
+    '33f974b42769',
+    '14d446e33363',
+    'c934fe34d934',
+    '1999a3554a55',
+    '27dd91f1fcf1',
+    'a94133013401',
+    '99c636334433',
+    '43ab19ef5c31',
+    'a053a292a4af',
+    '434f4d4d4f41',
+    '434f4d4d4f42',
+    '505249565441',
+    '505249565442',
+    -- Data from,:, http://pastebin.com/TUXj17K3
+    'fc0001877bf7', -- RKF ÖstgötaTrafiken Key A
+    '00000ffe2488', -- RKF ÖstgötaTrafiken Key B
+    '0297927c0f77', -- RKF ÖstgötaTrafiken Key A
+    'ee0042f88840', -- RKF ÖstgötaTrafiken Key B
+    '54726176656c', -- RKF ÖstgötaTrafiken Key A
+    '776974687573', -- RKF ÖstgötaTrafiken Key B
+
+    --[[
+    The keys below are taken from from https://code.google.com/p/mifare-key-cracker/downloads/list
+    --]]
+
+    'bd493a3962b6',
+    '010203040506',
+    '111111111111',
+    '222222222222',
+    '333333333333',
+    '444444444444',
+    '555555555555',
+    '666666666666',
+    '777777777777',
+    '888888888888',
+    '999999999999',
+    'aaaaaaaaaaaa',
+    'bbbbbbbbbbbb',
+    'cccccccccccc',
+    'dddddddddddd',
+    'eeeeeeeeeeee',
+    '0123456789ab',
+    '123456789abc',
+    'ffffffffffff', -- Default key
+}
+
+--[[
+    The keys above have just been pasted in, for completeness sake. They contain duplicates. 
+    We need to weed the duplicates out before we expose the list to someone who actually wants to use them
+    
+--]]
+
+local function uniq(list)
+    
+    local foobar = {}
+    --print("list length ", #list)
+    for _, value in pairs(list) do
+        value = value:lower()
+        if not foobar[value] then
+            foobar[value] = true
+            table.insert(foobar, value);
+        end
+    end
+    --print("final list length length ", #foobar)
+    return foobar
+end
+
+return uniq(_keys)
\ No newline at end of file
diff --git a/client/scripts/mfkeys.lua b/client/scripts/mfkeys.lua
new file mode 100644
index 00000000..135108f3
--- /dev/null
+++ b/client/scripts/mfkeys.lua
@@ -0,0 +1,143 @@
+--[[
+	This is an example of Lua-scripting within proxmark3. This is a lua-side
+	implementation of hf mf chk  
+
+	This code is licensed to you under the terms of the GNU GPL, version 2 or,
+	at your option, any later version. See the LICENSE.txt file for the text of
+	the license.
+	
+	Copyright (C) 2013 m h swende <martin at swende.se>
+]]
+-- Loads the commands-library
+local cmds = require('commands')
+-- Load the default keys
+local keys = require('mf_default_keys')
+local desc = 
+("This script implements check keys. It utilises a large list of default keys (currently %d keys).\
+If you want to add more, just put them inside mf_default_keys.lua. "):format(#keys)
+
+local TIMEOUT = 10000 -- 10 seconds
+
+local function checkCommand(command)
+
+	--print("Sending this command : " .. tostring(command))
+	local usbcommand = command:getBytes()
+	core.SendCommand(usbcommand)
+	local result = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT)
+	if result then
+		local count,cmd,arg0 = bin.unpack('LL',result)
+		if(arg0==1) then
+			local count,arg1,arg2,data = bin.unpack('LLH511',result,count)
+			key = data:sub(1,12)
+			return key
+		else
+			--print("Key not found...")
+			return nil
+		end
+	else
+		print("Timeout while waiting for response. Increase TIMEOUT in keycheck.lua to wait longer")
+		return nil, "Timeout while waiting for device to respond"
+	end
+end
+
+
+function checkBlock(blockNo, keys, keyType)
+	-- The command data is only 512 bytes, each key is 6 bytes, meaning that we can send max 85 keys in one go. 
+	-- If there's more, we need to split it up
+	local start, remaining= 1, #keys
+	local packets = {}
+	while remaining > 0 do
+		local n,data = remaining, nil
+		if remaining > 85 then n = 85 end
+		local data = table.concat(keys,"",start,n)
+		--print("data",data)
+		--print("data len", #data)
+		print(("Testing block %d, keytype %d, with %d keys"):format(blockNo, keyType, n))
+		local command = Command:new{cmd = cmds.CMD_MIFARE_CHKKEYS, 
+								arg1 = blockNo, 
+								arg2 = keyType, 
+								arg3 = n, 
+								data = data}
+		local status = checkCommand(command)
+		if status then return status, blockNo end
+		start = start+n+1
+		remaining = remaining - n
+	end
+	return nil
+end
+
+-- A function to display the results
+local function displayresults(results)
+	local sector, blockNo, keyA, keyB,_
+
+	print("________________________________________")
+	print("|Sector|Block|     A      |      B     |")
+	print("|--------------------------------------|")
+
+	for sector,_ in pairs(results) do
+		blockNo, keyA, keyB = unpack(_)
+
+		print(("| %3d  | %3d |%s|%s|"):format(sector, blockNo, keyA, keyB ))
+	end
+	print("|--------------------------------------|")
+
+end
+-- A little helper to place an item first in the list
+local function placeFirst(akey, list)
+	akey  = akey:lower()
+	if list[1] == akey then 
+		-- Already at pole position
+		return list
+	end
+	local result = {akey}
+	--print(("Putting '%s' first"):format(akey))
+	for i,v in ipairs(list) do
+		if v ~= akey then 
+			result[#result+1] = v
+		end
+	end
+	return result
+end
+
+local function main()
+
+	print(desc);
+
+	core.clearCommandBuffer()
+	local blockNo
+	local keyType = 0 -- A=0, B=1
+	local result = {}
+	for sector=1,40,1 do
+
+		--[[
+		The mifare Classic 1k card has 16 sectors of 4 data blocks each. The
+		first 32 sectors of a mifare Classic 4k card consists of 4 data blocks and the remaining
+		8 sectors consist of 16 data blocks. 
+		--]]
+		local blockNo = sector * 4 -1 
+		
+		if sector > 32 then
+			blockNo = 32*4+ (sector-32)*16 -1
+		end
+
+		local keyA = checkBlock(blockNo, keys, 0)
+		if keyA then keys  = placeFirst(keyA, keys) end
+		keyA = keyA or ""
+
+		local keyB = checkBlock(blockNo, keys, 1)
+		if keyB then keys  = placeFirst(keyB, keys) end
+		keyB = keyB or ""
+
+		result[sector] = {blockNo, keyA, keyB }
+
+		-- Check if user aborted
+		if core.ukbhit() then
+			print("Aborted by user")
+			break
+		end
+	end
+	displayresults(result)
+end
+
+main()
+
-- 
2.39.2