[proxmark3-svn] / client / scripts / mfkeys.lua

--[[
	This is an example of Lua-scripting within proxmark3. This is a lua-side
	implementation of hf mf chk  

	This code is licensed to you under the terms of the GNU GPL, version 2 or,
	at your option, any later version. See the LICENSE.txt file for the text of
	the license.
	
	Copyright (C) 2013 m h swende <martin at swende.se>
--]]
-- Loads the commands-library
local cmds = require('commands')
-- Load the default keys
local keys = require('mf_default_keys')
-- Ability to read what card is there
local reader = require('read14a')
local getopt = require('getopt')

local OR = bit32.bor
local LSHIFT = bit32.lshift

example =[[
	 script run mfkeys
]]
author = "Iceman"
usage = "script run mfkeys"
desc = ("This script implements Mifare check keys. It utilises a large list of default keys (currently %d keys).\
If you want to add more, just put them inside /lualibs/mf_default_keys.lua\n"):format(#keys) ..
[[

Arguments:
	-h             : this help
	-p             : print keys
]]

local TIMEOUT = 10000 -- 10 seconds
--- 
-- Usage help
function help()
	print(desc)
	print("Example usage")
	print(example)
end
	
--[[This may be moved to a separate library at some point]]
local utils = 
{
	--- 
	-- Asks the user for Yes or No
	confirm = function(message, ...)
		local answer
		message = message .. " [y]/[n] ?"
		repeat
			io.write(message)
			io.flush()
			answer=io.read()
			if answer == 'Y' or answer == "y" then
				return true
			elseif answer == 'N' or answer == 'n' then 
				return false
			end
		until false
	end,
	---
	-- Asks the user for input
	input = function (message , default)
		local answer
		if default ~= nil then
			message = message .. " (default: ".. default.. " )"
		end
		message = message .." \n > "
		io.write(message)
		io.flush()
		answer=io.read()
		if answer == '' then answer = default end

		return answer
	end,
}


local function checkCommand(command)

	--print("Sending this command : " .. tostring(command))
	local usbcommand = command:getBytes()
	core.SendCommand(usbcommand)
	local result = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT)
	if result then
		local count,cmd,arg0 = bin.unpack('LL',result)
		if(arg0==1) then
			local count,arg1,arg2,data = bin.unpack('LLH511',result,count)
			key = data:sub(1,12)
			return key
		else
			--print("Key not found...")
			return nil
		end
	else
		print("Timeout while waiting for response. Increase TIMEOUT in keycheck.lua to wait longer")
		return nil, "Timeout while waiting for device to respond"
	end
end

function checkBlock(blockNo, keys, keyType)
	-- The command data is only 512 bytes, each key is 6 bytes, meaning that we can send max 85 keys in one go. 
	-- If there's more, we need to split it up
	local start, remaining= 1, #keys
	local packets = {}
	while remaining > 0 do
		local n,data = remaining, nil
		if remaining > 85 then n = 85 end
		local data = table.concat(keys,"",start,n)
		print(("Testing block %d, keytype %d, with %d keys"):format(blockNo, keyType, n))
		local command = Command:new{cmd = cmds.CMD_MIFARE_CHKKEYS, 
								arg1 =  OR(blockNo, LSHIFT(keyType,8) ),
								arg2 = 0, 
								arg3 = n, 
								data = data}
		local status = checkCommand(command)
		if status then return status, blockNo end
		start = start+n+1
		remaining = remaining - n
	end
	return nil
end

-- A function to display the results
-- TODO: iceman 2016,  still screws up output when a key is not found.
local function displayresults(results)
	local sector, blockNo, keyA, keyB,_

	print("|---|----------------|---|----------------|---|")
	print("|sec|key A           |res|key B           |res|")
	print("|---|----------------|---|----------------|---|")

	for sector,_ in pairs(results) do
		blockNo, keyA, keyB = unpack(_)
		print(("|%03d|  %s  | 1 |  %s  | 1 |"):format(sector, keyA, keyB ))
	end
	print("|---|----------------|---|----------------|---|")

end
-- A little helper to place an item first in the list
local function placeFirst(akey, list)
	akey  = akey:lower()
	if list[1] == akey then 
		-- Already at pole position
		return list
	end
	local result = {akey}
	--print(("Putting '%s' first"):format(akey))
	for i,v in ipairs(list) do
		if v ~= akey then 
			result[#result+1] = v
		end
	end
	return result
end
local function dumptofile(results)
	local sector, blockNo, keyA, keyB,_

	if utils.confirm("Do you wish to save the keys to dumpfile?") then 
		local destination = utils.input("Select a filename to store to", "dumpkeys.bin")
		local file = io.open(destination, "w")
		if file == nil then 
			print("Could not write to file ", destination)
			return
		end

		local key_a = ""
		local key_b = ""
		
		for sector,_ in pairs(results) do
			blockNo, keyA, keyB = unpack(_)
			key_a = key_a .. bin.pack("H",keyA);
			key_b = key_b .. bin.pack("H",keyB);
		end
		file:write(key_a)
		file:write(key_b)
		file:close()
	end
end
local function printkeys() 
	for i=0,#keys do
		print(i,keys[i])
		
	end
	print ('Number of keys: '..#keys)
end

local function main( args)

	-- Arguments for the script
	for o, a in getopt.getopt(args, 'hp') do
		if o == "h" then return help() end			
		if o == "p" then return printkeys() end
	end
	
	result, err = reader.read1443a()
	if not result then
		print(err)
		return
	end

	print(("Found a %s tag"):format(result.name))

	core.clearCommandBuffer()
	local blockNo
	local keyType = 0 -- A=0, B=1
	local numSectors = 16 

	if 0x18 == result.sak then --NXP MIFARE Classic 4k | Plus 4k
		-- IFARE Classic 4K offers 4096 bytes split into forty sectors, 
		-- of which 32 are same size as in the 1K with eight more that are quadruple size sectors. 
		numSectors = 40
	elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k | Plus 2k
		-- 1K offers 1024 bytes of data storage, split into 16 sector
		numSectors = 16
	elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k
		-- MIFARE Classic mini offers 320 bytes split into five sectors.
		numSectors = 5
	elseif  0x10 == result.sak then-- "NXP MIFARE Plus 2k"
		numSectors = 32
	else
		print("I don't know how many sectors there are on this type of card, defaulting to 16")
	end

	result = {}
	for sector=1,numSectors,1 do

		--[[
		The mifare Classic 1k card has 16 sectors of 4 data blocks each. 
		The first 32 sectors of a mifare Classic 4k card consists of 4 data blocks and the remaining
		8 sectors consist of 16 data blocks. 
		--]]
		local blockNo = sector * 4 -1 
		
		if sector > 32 then
			blockNo = 32*4+ (sector-32)*16 -1
		end

		local keyA = checkBlock(blockNo, keys, 0)
		if keyA then keys  = placeFirst(keyA, keys) end
		keyA = keyA or ""

		local keyB = checkBlock(blockNo, keys, 1)
		if keyB then keys  = placeFirst(keyB, keys) end
		keyB = keyB or ""

		result[sector] = {blockNo, keyA, keyB }

		-- Check if user aborted
		if core.ukbhit() then
			print("Aborted by user")
			break
		end
	end
	displayresults(result)
	dumptofile(result)
end

main( args)
Commit	Line	Data
16b04cb2	1	--[[
	2	This is an example of Lua-scripting within proxmark3. This is a lua-side
	3	implementation of hf mf chk
	4
	5	This code is licensed to you under the terms of the GNU GPL, version 2 or,
	6	at your option, any later version. See the LICENSE.txt file for the text of
	7	the license.
	8
	9	Copyright (C) 2013 m h swende <martin at swende.se>
05ed5c49	10	--]]
16b04cb2	11	-- Loads the commands-library
	12	local cmds = require('commands')
	13	-- Load the default keys
	14	local keys = require('mf_default_keys')
a2d82b46	15	-- Ability to read what card is there
a2d82b46	16	local reader = require('read14a')
62254ea5	17	local getopt = require('getopt')
a2d82b46	18
62254ea5	19	local OR = bit32.bor
62254ea5	20	local LSHIFT = bit32.lshift
05ed5c49	21
62254ea5	22	example =[[
	23	script run mfkeys
	24	]]
	25	author = "Iceman"
	26	usage = "script run mfkeys"
	27	desc = ("This script implements Mifare check keys. It utilises a large list of default keys (currently %d keys).\
	28	If you want to add more, just put them inside /lualibs/mf_default_keys.lua\n"):format(#keys) ..
	29	[[
	30
	31	Arguments:
	32	-h : this help
57778a46	33	-p : print keys
62254ea5	34	]]
16b04cb2	35
16b04cb2	36	local TIMEOUT = 10000 -- 10 seconds
62254ea5	37	---
	38	-- Usage help
	39	function help()
	40	print(desc)
	41	print("Example usage")
	42	print(example)
	43	end
05ed5c49	44
	45	--[[This may be moved to a separate library at some point]]
	46	local utils =
	47	{
	48	---
	49	-- Asks the user for Yes or No
	50	confirm = function(message, ...)
	51	local answer
	52	message = message .. " [y]/[n] ?"
	53	repeat
	54	io.write(message)
	55	io.flush()
	56	answer=io.read()
	57	if answer == 'Y' or answer == "y" then
	58	return true
	59	elseif answer == 'N' or answer == 'n' then
	60	return false
	61	end
	62	until false
	63	end,
	64	---
	65	-- Asks the user for input
	66	input = function (message , default)
	67	local answer
	68	if default ~= nil then
	69	message = message .. " (default: ".. default.. " )"
	70	end
	71	message = message .." \n > "
	72	io.write(message)
	73	io.flush()
	74	answer=io.read()
	75	if answer == '' then answer = default end
	76
	77	return answer
	78	end,
	79	}
	80
16b04cb2	81
	82	local function checkCommand(command)
	83
	84	--print("Sending this command : " .. tostring(command))
	85	local usbcommand = command:getBytes()
	86	core.SendCommand(usbcommand)
	87	local result = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT)
	88	if result then
	89	local count,cmd,arg0 = bin.unpack('LL',result)
	90	if(arg0==1) then
	91	local count,arg1,arg2,data = bin.unpack('LLH511',result,count)
	92	key = data:sub(1,12)
	93	return key
	94	else
	95	--print("Key not found...")
	96	return nil
	97	end
	98	else
	99	print("Timeout while waiting for response. Increase TIMEOUT in keycheck.lua to wait longer")
	100	return nil, "Timeout while waiting for device to respond"
	101	end
	102	end
	103
16b04cb2	104	function checkBlock(blockNo, keys, keyType)
	105	-- The command data is only 512 bytes, each key is 6 bytes, meaning that we can send max 85 keys in one go.
	106	-- If there's more, we need to split it up
	107	local start, remaining= 1, #keys
	108	local packets = {}
	109	while remaining > 0 do
	110	local n,data = remaining, nil
	111	if remaining > 85 then n = 85 end
	112	local data = table.concat(keys,"",start,n)
16b04cb2	113	print(("Testing block %d, keytype %d, with %d keys"):format(blockNo, keyType, n))
16b04cb2	114	local command = Command:new{cmd = cmds.CMD_MIFARE_CHKKEYS,
62254ea5	115	arg1 = OR(blockNo, LSHIFT(keyType,8) ),
62254ea5	116	arg2 = 0,
16b04cb2	117	arg3 = n,
	118	data = data}
	119	local status = checkCommand(command)
	120	if status then return status, blockNo end
	121	start = start+n+1
	122	remaining = remaining - n
	123	end
	124	return nil
	125	end
	126
	127	-- A function to display the results
62254ea5	128	-- TODO: iceman 2016, still screws up output when a key is not found.
16b04cb2	129	local function displayresults(results)
	130	local sector, blockNo, keyA, keyB,_
	131
62254ea5	132	print("\|---\|----------------\|---\|----------------\|---\|")
	133	print("\|sec\|key A \|res\|key B \|res\|")
	134	print("\|---\|----------------\|---\|----------------\|---\|")
16b04cb2	135
	136	for sector,_ in pairs(results) do
	137	blockNo, keyA, keyB = unpack(_)
62254ea5	138	print(("\|%03d\| %s \| 1 \| %s \| 1 \|"):format(sector, keyA, keyB ))
16b04cb2	139	end
62254ea5	140	print("\|---\|----------------\|---\|----------------\|---\|")
16b04cb2	141
	142	end
	143	-- A little helper to place an item first in the list
	144	local function placeFirst(akey, list)
	145	akey = akey:lower()
	146	if list[1] == akey then
	147	-- Already at pole position
	148	return list
	149	end
	150	local result = {akey}
	151	--print(("Putting '%s' first"):format(akey))
	152	for i,v in ipairs(list) do
	153	if v ~= akey then
	154	result[#result+1] = v
	155	end
	156	end
	157	return result
	158	end
05ed5c49	159	local function dumptofile(results)
05ed5c49	160	local sector, blockNo, keyA, keyB,_
16b04cb2	161
05ed5c49	162	if utils.confirm("Do you wish to save the keys to dumpfile?") then
	163	local destination = utils.input("Select a filename to store to", "dumpkeys.bin")
	164	local file = io.open(destination, "w")
	165	if file == nil then
	166	print("Could not write to file ", destination)
	167	return
	168	end
	169
	170	local key_a = ""
	171	local key_b = ""
	172
	173	for sector,_ in pairs(results) do
	174	blockNo, keyA, keyB = unpack(_)
	175	key_a = key_a .. bin.pack("H",keyA);
	176	key_b = key_b .. bin.pack("H",keyB);
	177	end
	178	file:write(key_a)
	179	file:write(key_b)
	180	file:close()
	181	end
	182	end
57778a46	183	local function printkeys()
	184	for i=0,#keys do
	185	print(i,keys[i])
	186
	187	end
	188	print ('Number of keys: '..#keys)
	189	end
05ed5c49	190
05ed5c49	191	local function main( args)
16b04cb2	192
62254ea5	193	-- Arguments for the script
57778a46	194	for o, a in getopt.getopt(args, 'hp') do
62254ea5	195	if o == "h" then return help() end
57778a46	196	if o == "p" then return printkeys() end
62254ea5	197	end
62254ea5	198
a2d82b46	199	result, err = reader.read1443a()
	200	if not result then
	201	print(err)
	202	return
	203	end
a2d82b46	204
62254ea5	205	print(("Found a %s tag"):format(result.name))
a2d82b46	206
16b04cb2	207	core.clearCommandBuffer()
	208	local blockNo
	209	local keyType = 0 -- A=0, B=1
05ed5c49	210	local numSectors = 16
	211
	212	if 0x18 == result.sak then --NXP MIFARE Classic 4k \| Plus 4k
	213	-- IFARE Classic 4K offers 4096 bytes split into forty sectors,
	214	-- of which 32 are same size as in the 1K with eight more that are quadruple size sectors.
	215	numSectors = 40
	216	elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k \| Plus 2k
	217	-- 1K offers 1024 bytes of data storage, split into 16 sector
	218	numSectors = 16
	219	elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k
	220	-- MIFARE Classic mini offers 320 bytes split into five sectors.
	221	numSectors = 5
	222	elseif 0x10 == result.sak then-- "NXP MIFARE Plus 2k"
	223	numSectors = 32
	224	else
	225	print("I don't know how many sectors there are on this type of card, defaulting to 16")
	226	end
	227
	228	result = {}
	229	for sector=1,numSectors,1 do
16b04cb2	230
16b04cb2	231	--[[
05ed5c49	232	The mifare Classic 1k card has 16 sectors of 4 data blocks each.
05ed5c49	233	The first 32 sectors of a mifare Classic 4k card consists of 4 data blocks and the remaining
16b04cb2	234	8 sectors consist of 16 data blocks.
	235	--]]
	236	local blockNo = sector * 4 -1
	237
	238	if sector > 32 then
	239	blockNo = 324+ (sector-32)16 -1
	240	end
	241
	242	local keyA = checkBlock(blockNo, keys, 0)
	243	if keyA then keys = placeFirst(keyA, keys) end
	244	keyA = keyA or ""
	245
	246	local keyB = checkBlock(blockNo, keys, 1)
	247	if keyB then keys = placeFirst(keyB, keys) end
	248	keyB = keyB or ""
	249
	250	result[sector] = {blockNo, keyA, keyB }
	251
	252	-- Check if user aborted
	253	if core.ukbhit() then
	254	print("Aborted by user")
	255	break
	256	end
	257	end
	258	displayresults(result)
05ed5c49	259	dumptofile(result)
16b04cb2	260	end
16b04cb2	261
05ed5c49	262	main( args)
16b04cb2	263