]> git.zerfleddert.de Git - proxmark3-svn/blame - client/scripts/tnp3clone.lua
FIX: "hf mf hardnested" when "key found" exting the do-while loop doesn't need to...
[proxmark3-svn] / client / scripts / tnp3clone.lua
CommitLineData
40762506 1local cmds = require('commands')
2local getopt = require('getopt')
3local lib14a = require('read14a')
4local utils = require('utils')
5local pre = require('precalc')
cff17e78 6local toys = require('default_toys')
40762506 7
8local lsh = bit32.lshift
9local rsh = bit32.rshift
10local bor = bit32.bor
11local band = bit32.band
12
13example =[[
c3fe354b 14 script run tnp3clone
15 script run tnp3clone -h
f288cb60 16 script run tnp3clone -l
c3fe354b 17 script run tnp3clone -t aa00 -s 0030
40762506 18
19]]
20author = "Iceman"
c3fe354b 21usage = "script run tnp3clone -t <toytype> -s <subtype>"
40762506 22desc =[[
23This script will try making a barebone clone of a tnp3 tag on to a magic generation1 card.
24
25Arguments:
26 -h : this help
f288cb60 27 -l : list all known toy tokens
28 -t <data> : toytype id, 4hex symbols
c3fe354b 29 -s <data> : subtype id, 4hex symbols
26b8f38b 30
31 For fun, try the following subtype id:
32 0612 - Lightcore
33 0118 - Series 1
34 0138 - Series 2
35 0234 - Special
36 023c - Special
bb84c381 37 0020 - Swapforce
40762506 38]]
39
40
41-- This is only meant to be used when errors occur
42function oops(err)
43 print("ERROR: ",err)
44end
45-- Usage help
46function help()
47 print(desc)
48 print("Example usage")
49 print(example)
50end
51
52local function waitCmd()
53 local response = core.WaitForResponseTimeout(cmds.CMD_ACK,2000)
54 if response then
55 local count,cmd,arg0 = bin.unpack('LL',response)
56 if(arg0==1) then
57 local count,arg1,arg2,data = bin.unpack('LLH511',response,count)
58 return data:sub(1,32)
59 else
60 return nil, "Couldn't read block."
61 end
62 end
63 return nil, "No response from device"
64end
65
7b47fa9b 66local function readblock( blocknum, keyA )
40762506 67 -- Read block 0
7b47fa9b 68 cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = blocknum, arg2 = 0, arg3 = 0, data = keyA}
40762506 69 err = core.SendCommand(cmd:getBytes())
7b47fa9b 70 if err then return nil, err end
40762506 71 local block0, err = waitCmd()
7b47fa9b 72 if err then return nil, err end
73 return block0
74end
75local function readmagicblock( blocknum )
76 -- Read block 0
77 local CSETBLOCK_SINGLE_OPERATION = 0x1F
78 cmd = Command:new{cmd = cmds.CMD_MIFARE_CGETBLOCK, arg1 = CSETBLOCK_SINGLE_OPERATION, arg2 = 0, arg3 = blocknum}
f288cb60 79 err = core.SendCommand(cmd:getBytes())
7b47fa9b 80 if err then return nil, err end
81 local block0, err = waitCmd()
82 if err then return nil, err end
40762506 83 return block0
84end
85
86local function main(args)
87
c3fe354b 88 print( string.rep('--',20) )
89 print( string.rep('--',20) )
90
40762506 91 local numBlocks = 64
7b47fa9b 92 local cset = 'hf mf csetbl '
c3fe354b 93 local csetuid = 'hf mf csetuid '
7b47fa9b 94 local cget = 'hf mf cgetbl '
40762506 95 local empty = '00000000000000000000000000000000'
96 local AccAndKeyB = '7F078869000000000000'
97 -- Defaults to Gusto
98 local toytype = 'C201'
c3fe354b 99 local subtype = '0030'
100 local DEBUG = true
40762506 101
102 -- Arguments for the script
f288cb60 103 for o, a in getopt.getopt(args, 'ht:s:l') do
40762506 104 if o == "h" then return help() end
105 if o == "t" then toytype = a end
c3fe354b 106 if o == "s" then subtype = a end
f288cb60 107 if o == "l" then return toys.List() end
40762506 108 end
f288cb60 109
c3fe354b 110 if #toytype ~= 4 then return oops('Wrong size - toytype. (4hex symbols)') end
111 if #subtype ~= 4 then return oops('Wrong size - subtype. (4hex symbols)') end
112
113 -- look up type, find & validate types
114 local item = toys.Find( toytype, subtype)
115 if item then
116 print( (' Looking up input: Found %s - %s (%s)'):format(item[6],item[5], item[4]) )
117 else
118 print('Didn\'t find item type. If you are sure about it, report it in')
119 end
120 --15,16
121 --13-14
122
40762506 123
124 -- find tag
125 result, err = lib14a.read1443a(false)
126 if not result then return oops(err) end
127
40762506 128 -- load keys
129 local akeys = pre.GetAll(result.uid)
130 local keyA = akeys:sub(1, 12 )
131
7b47fa9b 132 local b0 = readblock(0,keyA)
133 if not b0 then
134 print('failed reading block with factorydefault key. Trying chinese magic read.')
135 b0, err = readmagicblock(0)
136 if not b0 then
137 oops(err)
138 return oops('failed reading block with chinese magic command. quitting...')
139 end
140 end
40762506 141
6c81ae55 142 -- wipe card.
c3fe354b 143 local cmd = (csetuid..'%s 0004 08 w'):format(result.uid)
6c81ae55 144 core.console(cmd)
f288cb60 145
146 local b1 = toytype..string.rep('00',10)..subtype
6c81ae55 147
40762506 148 local calc = utils.Crc16(b0..b1)
149 local calcEndian = bor(rsh(calc,8), lsh(band(calc, 0xff), 8))
150
7b47fa9b 151 local cmd = (cset..'1 %s%04x'):format( b1, calcEndian)
6c81ae55 152 core.console(cmd)
40762506 153
154 local pos, key
155 for blockNo = 2, numBlocks-1, 1 do
156 pos = (math.floor( blockNo / 4 ) * 12)+1
157 key = akeys:sub(pos, pos + 11 )
6c81ae55 158 if blockNo%4 == 3 then
40762506 159 cmd = ('%s %d %s%s'):format(cset,blockNo,key,AccAndKeyB)
6c81ae55 160 core.console(cmd)
161 end
40762506 162 end
6c81ae55 163 core.clearCommandBuffer()
40762506 164end
165main(args)
Impressum, Datenschutz