From 40762506601062bb79a0a081a7b508b8e02c29fa Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 30 Mar 2015 16:15:53 +0200 Subject: [PATCH] CHG: minor fixes to some tnp luascripts ADD: a script to make a barebone clone for tnp3 on a chinese magic s50 generation 1 tag. --- client/lualibs/default_toys.lua | 72 ++++++++++---------- client/scripts/tnp3clone.lua | 113 ++++++++++++++++++++++++++++++++ client/scripts/tnp3dump.lua | 4 +- client/scripts/tnp3sim.lua | 29 ++++---- 4 files changed, 167 insertions(+), 51 deletions(-) create mode 100644 client/scripts/tnp3clone.lua diff --git a/client/lualibs/default_toys.lua b/client/lualibs/default_toys.lua index 048a29c9..749686c7 100644 --- a/client/lualibs/default_toys.lua +++ b/client/lualibs/default_toys.lua @@ -116,42 +116,42 @@ local _names = { --[[ TRAPTEAM --]] - ["01C2"]="TRAPTEAM GUSTO", - ["01C3"]="TRAPTEAM THUNDERBOLT", - ["01C4"]="TRAPTEAM FLING KONG", - ["01C5"]="TRAPTEAM BLADES", - ["01C6"]="TRAPTEAM WALLOP", - ["01C7"]="TRAPTEAM HEAD RUSH", - ["01C8"]="TRAPTEAM FIST BUMP", - ["01C9"]="TRAPTEAM ROCKY ROLL", - ["01CA"]="TRAPTEAM WILDFIRE", - ["01CB"]="TRAPTEAM KA BOOM", - ["01CC"]="TRAPTEAM TRAIL BLAZER", - ["01CD"]="TRAPTEAM TORCH", - ["01CE"]="TRAPTEAM SNAP SHOT", - ["01CF"]="TRAPTEAM LOB STAR", - ["01D0"]="TRAPTEAM FLIP WRECK", - ["01D1"]="TRAPTEAM ECHO", - ["01D2"]="TRAPTEAM BLASTERMIND", - ["01D3"]="TRAPTEAM ENIGMA", - ["01D4"]="TRAPTEAM DEJA VU", - ["01D5"]="TRAPTEAM COBRA CADABRA", - ["01D6"]="TRAPTEAM JAWBREAKER", - ["01D7"]="TRAPTEAM GEARSHIFT", - ["01D8"]="TRAPTEAM CHOPPER", - ["01D9"]="TRAPTEAM TREAD HEAD", - ["01DA"]="TRAPTEAM BUSHWHACK", - ["01DB"]="TRAPTEAM TUFF LUCK", - ["01DC"]="TRAPTEAM FOOD FIGHT", - ["01DD"]="TRAPTEAM HIGH FIVE", - ["01DE"]="TRAPTEAM NITRO KRYPT KING", - ["01DF"]="TRAPTEAM SHORT CUT", - ["01E0"]="TRAPTEAM BAT SPIN", - ["01E1"]="TRAPTEAM FUNNY BONE", - ["01E2"]="TRAPTEAM KNIGHT LIGHT", - ["01E3"]="TRAPTEAM SPOTLIGHT", - ["01E4"]="TRAPTEAM KNIGHT MARE", - ["01E5"]="TRAPTEAM BLACKOUT", + ["C201"]="TRAPTEAM GUSTO", + ["C301"]="TRAPTEAM THUNDERBOLT", + ["C401"]="TRAPTEAM FLING KONG", + ["C501"]="TRAPTEAM BLADES", + ["C601"]="TRAPTEAM WALLOP", + ["C701"]="TRAPTEAM HEAD RUSH", + ["C801"]="TRAPTEAM FIST BUMP", + ["C901"]="TRAPTEAM ROCKY ROLL", + ["CA01"]="TRAPTEAM WILDFIRE", + ["CB01"]="TRAPTEAM KA BOOM", + ["CC01"]="TRAPTEAM TRAIL BLAZER", + ["CD01"]="TRAPTEAM TORCH", + ["CE01"]="TRAPTEAM SNAP SHOT", + ["CF01"]="TRAPTEAM LOB STAR", + ["D001"]="TRAPTEAM FLIP WRECK", + ["D101"]="TRAPTEAM ECHO", + ["D201"]="TRAPTEAM BLASTERMIND", + ["D301"]="TRAPTEAM ENIGMA", + ["D401"]="TRAPTEAM DEJA VU", + ["D501"]="TRAPTEAM COBRA CADABRA", + ["D601"]="TRAPTEAM JAWBREAKER", + ["D701"]="TRAPTEAM GEARSHIFT", + ["D801"]="TRAPTEAM CHOPPER", + ["D901"]="TRAPTEAM TREAD HEAD", + ["DA01"]="TRAPTEAM BUSHWHACK", + ["DB01"]="TRAPTEAM TUFF LUCK", + ["DC01"]="TRAPTEAM FOOD FIGHT", + ["DD01"]="TRAPTEAM HIGH FIVE", + ["DE01"]="TRAPTEAM NITRO KRYPT KING", + ["DF01"]="TRAPTEAM SHORT CUT", + ["E001"]="TRAPTEAM BAT SPIN", + ["E101"]="TRAPTEAM FUNNY BONE", + ["E201"]="TRAPTEAM KNIGHT LIGHT", + ["E301"]="TRAPTEAM SPOTLIGHT", + ["E401"]="TRAPTEAM KNIGHT MARE", + ["E501"]="TRAPTEAM BLACKOUT", --[[ PET diff --git a/client/scripts/tnp3clone.lua b/client/scripts/tnp3clone.lua new file mode 100644 index 00000000..aec54838 --- /dev/null +++ b/client/scripts/tnp3clone.lua @@ -0,0 +1,113 @@ +local cmds = require('commands') +local getopt = require('getopt') +local lib14a = require('read14a') +local utils = require('utils') +local pre = require('precalc') + +local lsh = bit32.lshift +local rsh = bit32.rshift +local bor = bit32.bor +local band = bit32.band + +example =[[ + script run tnp3dump + script run tnp3dump -h + script run tnp3dump -t aa00 + +]] +author = "Iceman" +usage = "script run tnp3clone -t " +desc =[[ +This script will try making a barebone clone of a tnp3 tag on to a magic generation1 card. + +Arguments: + -h : this help + -k : toytype id, 4 hex symbols. +]] + + +-- This is only meant to be used when errors occur +function oops(err) + print("ERROR: ",err) +end +-- Usage help +function help() + print(desc) + print("Example usage") + print(example) +end + +local function waitCmd() + local response = core.WaitForResponseTimeout(cmds.CMD_ACK,2000) + if response then + local count,cmd,arg0 = bin.unpack('LL',response) + if(arg0==1) then + local count,arg1,arg2,data = bin.unpack('LLH511',response,count) + return data:sub(1,32) + else + return nil, "Couldn't read block." + end + end + return nil, "No response from device" +end + +local function readblock( keyA ) + -- Read block 0 + cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 0,arg2 = 0,arg3 = 0, data = keyA} + err = core.SendCommand(cmd:getBytes()) + if err then return oops(err) end + local block0, err = waitCmd() + if err then return oops(err) end + return block0 +end + +local function main(args) + + local numBlocks = 64 + local cset = 'hf mf csetbl' + local empty = '00000000000000000000000000000000' + local AccAndKeyB = '7F078869000000000000' + -- Defaults to Gusto + local toytype = 'C201' + + -- Arguments for the script + for o, a in getopt.getopt(args, 'ht:') do + if o == "h" then return help() end + if o == "t" then toytype = a end + end + + if #toytype ~= 4 then return oops('Wrong size in toytype. (4hex symbols)') end + + -- find tag + result, err = lib14a.read1443a(false) + if not result then return oops(err) end + + -- Show tag info + print((' Found tag %s'):format(result.name)) + + -- load keys + local akeys = pre.GetAll(result.uid) + local keyA = akeys:sub(1, 12 ) + + local b0 = readblock(keyA) + local b1 = toytype..'000000000000000000000000' + + local calc = utils.Crc16(b0..b1) + local calcEndian = bor(rsh(calc,8), lsh(band(calc, 0xff), 8)) + + local cmd = ('hf mf csetbl 1 %s%04x'):format( b1, calcEndian) + core.console( cmd) + + local pos, key + for blockNo = 2, numBlocks-1, 1 do + pos = (math.floor( blockNo / 4 ) * 12)+1 + key = akeys:sub(pos, pos + 11 ) + if blockNo%4 ~= 3 then + cmd = ('%s %d %s'):format(cset,blockNo,empty) + else + cmd = ('%s %d %s%s'):format(cset,blockNo,key,AccAndKeyB) + end + core.console(cmd) + end +end +main(args) \ No newline at end of file diff --git a/client/scripts/tnp3dump.lua b/client/scripts/tnp3dump.lua index 53822c7d..363998fb 100644 --- a/client/scripts/tnp3dump.lua +++ b/client/scripts/tnp3dump.lua @@ -148,7 +148,7 @@ local function main(args) core.clearCommandBuffer() if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx - return oops('This is not a TNP3xxx tag. aborting.') + -- return oops('This is not a TNP3xxx tag. aborting.') end -- Show tag info @@ -215,7 +215,9 @@ local function main(args) local blockdata, err = waitCmd() if err then return oops(err) end + if blockNo%4 ~= 3 then + if blockNo < 8 then -- Block 0-7 not encrypted blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata) diff --git a/client/scripts/tnp3sim.lua b/client/scripts/tnp3sim.lua index fc403758..1d3dbefd 100644 --- a/client/scripts/tnp3sim.lua +++ b/client/scripts/tnp3sim.lua @@ -26,7 +26,7 @@ Arguments: ]] local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds -local DEBUG = false -- the debug flag +local DEBUG = true -- the debug flag local band = bit32.band @@ -302,25 +302,25 @@ function DivideByK(msw, lsw) remainder = num % RADIX return remainder, highLSW, lowLSW - uint num = 0 | (msw >> 16) & 0xffff; + -- uint num = 0 | (msw >> 16) & 0xffff; - highLSW = 0 | (num / RADIX) << 16; - remainder = num % RADIX; + -- highLSW = 0 | (num / RADIX) << 16; + -- remainder = num % RADIX; - num = (remainder << 16) | (msw & 0xffff); + -- num = (remainder << 16) | (msw & 0xffff); - highLSW |= num / RADIX; - remainder = num % RADIX; + -- highLSW |= num / RADIX; + -- remainder = num % RADIX; - num = (remainder << 16) | ((lsw >> 16) & 0xffff); + -- num = (remainder << 16) | ((lsw >> 16) & 0xffff); - lowLSW = 0 | (num / RADIX) << 16; - remainder = num % RADIX; + -- lowLSW = 0 | (num / RADIX) << 16; + -- remainder = num % RADIX; - num = (remainder << 16) | (lsw & 0xffff); + -- num = (remainder << 16) | (lsw & 0xffff); - lowLSW |= num / RADIX; - remainder = num % RADIX; + -- lowLSW |= num / RADIX; + -- remainder = num % RADIX; end @@ -397,7 +397,8 @@ local function main(args) print( (' UID : 0x%s'):format(uid) ) print( (' CARDID : 0x%s %s [%s]'):format( cardidMsw,cardidLsw, - Num2Card(cardidMsw, cardidLsw)) + --Num2Card(cardidMsw, cardidLsw)) + '') ) print( string.rep('--',20) ) -- 2.39.2