fix memory overflow in hf mf nested (issue #479)
[proxmark3-svn] / client / scripts / didump.lua
0 / 473 (  0%)
CommitLineData
1local cmds = require('commands')
2local getopt = require('getopt')
3local utils = require('utils')
4local lib14a = require('read14a')
5
6example =[[
7 script run didump
8 script run didump -k aabbccddeeff
9]]
10author = "Iceman"
11usage = "script run didump -k <key> "
12desc = [[
13This is a script to dump and decrypt the data of a specific type of Mifare Mini token.
14
15Arguments:
16 -h : this help
17 -k <key> : Mifare Key A.
18]]
19
20local band=bit32.band
21local bor=bit32.bor
22local bnot=bit32.bnot
23local bxor=bit32.bxor
24local lshift=bit32.lshift
25local rshift=bit32.rshift
26
27local FOO = 'AF62D2EC0491968CC52A1A7165F865FE'
28local BAR = '286329204469736E65792032303133'
29local RANDOM = FOO..BAR
30local outputTemplate = os.date("toydump_%Y-%m-%d_%H%M%S");
31local TIMEOUT = 2000
32local DEBUG = false
33local numBlocks = 20
34local numSectors = 5
35local CHECKSUM_OFFSET = 12; -- +1???
36---
37-- A debug printout-function
38function dbg(args)
39 if DEBUG then
40 print("###", args)
41 end
42end
43---
44-- This is only meant to be used when errors occur
45function oops(err)
46 print("ERROR: ",err)
47 core.clearCommandBuffer()
48end
49---
50-- Usage help
51function help()
52 print(desc)
53 print("Example usage")
54 print(example)
55end
56---
57-- Get checksum,
58-- called: data is string (32 hex digits)
59-- returns: number
60local function getChecksum(data)
61 local chksum = data:sub(25,32)
62 return tonumber(chksum,16)
63end
64---
65-- calculate checksum
66-- called: data is bytes (24 hex digits)
67-- returns: number
68local function calculateChecksum(data)
69
70 -- Generate table
71 local _tbl = {}
72_tbl[0] = { 0x0 }
73_tbl[1] = { 0x77073096 }
74_tbl[2] = { 0xEE0E612C }
75_tbl[3] = { 0x990951BA }
76_tbl[4] = { 0x76DC419 }
77_tbl[5] = { 0x706AF48F }
78_tbl[6] = { 0xE963A535 }
79_tbl[7] = { 0x9E6495A3 }
80_tbl[8] = { 0xEDB8832 }
81_tbl[9] = { 0x79DCB8A4 }
82_tbl[10] = { 0xE0D5E91E }
83_tbl[11] = { 0x97D2D988 }
84_tbl[12] = { 0x9B64C2B }
85_tbl[13] = { 0x7EB17CBD }
86_tbl[14] = { 0xE7B82D07 }
87_tbl[15] = { 0x90BF1D91 }
88_tbl[16] = { 0x1DB71064 }
89_tbl[17] = { 0x6AB020F2 }
90_tbl[18] = { 0xF3B97148 }
91_tbl[19] = { 0x84BE41DE }
92_tbl[20] = { 0x1ADAD47D }
93_tbl[21] = { 0x6DDDE4EB }
94_tbl[22] = { 0xF4D4B551 }
95_tbl[23] = { 0x83D385C7 }
96_tbl[24] = { 0x136C9856 }
97_tbl[25] = { 0x646BA8C0 }
98_tbl[26] = { 0xFD62F97A }
99_tbl[27] = { 0x8A65C9EC }
100_tbl[28] = { 0x14015C4F }
101_tbl[29] = { 0x63066CD9 }
102_tbl[30] = { 0xFA0F3D63 }
103_tbl[31] = { 0x8D080DF5 }
104_tbl[32] = { 0x3B6E20C8 }
105_tbl[33] = { 0x4C69105E }
106_tbl[34] = { 0xD56041E4 }
107_tbl[35] = { 0xA2677172 }
108_tbl[36] = { 0x3C03E4D1 }
109_tbl[37] = { 0x4B04D447 }
110_tbl[38] = { 0xD20D85FD }
111_tbl[39] = { 0xA50AB56B }
112_tbl[40] = { 0x35B5A8FA }
113_tbl[41] = { 0x42B2986C }
114_tbl[42] = { 0xDBBBC9D6 }
115_tbl[43] = { 0xACBCF940 }
116_tbl[44] = { 0x32D86CE3 }
117_tbl[45] = { 0x45DF5C75 }
118_tbl[46] = { 0xDCD60DCF }
119_tbl[47] = { 0xABD13D59 }
120_tbl[48] = { 0x26D930AC }
121_tbl[49] = { 0x51DE003A }
122_tbl[50] = { 0xC8D75180 }
123_tbl[51] = { 0xBFD06116 }
124_tbl[52] = { 0x21B4F4B5 }
125_tbl[53] = { 0x56B3C423 }
126_tbl[54] = { 0xCFBA9599 }
127_tbl[55] = { 0xB8BDA50F }
128_tbl[56] = { 0x2802B89E }
129_tbl[57] = { 0x5F058808 }
130_tbl[58] = { 0xC60CD9B2 }
131_tbl[59] = { 0xB10BE924 }
132_tbl[60] = { 0x2F6F7C87 }
133_tbl[61] = { 0x58684C11 }
134_tbl[62] = { 0xC1611DAB }
135_tbl[63] = { 0xB6662D3D }
136_tbl[64] = { 0x76DC4190 }
137_tbl[65] = { 0x1DB7106 }
138_tbl[66] = { 0x98D220BC }
139_tbl[67] = { 0xEFD5102A }
140_tbl[68] = { 0x71B18589 }
141_tbl[69] = { 0x6B6B51F }
142_tbl[70] = { 0x9FBFE4A5 }
143_tbl[71] = { 0xE8B8D433 }
144_tbl[72] = { 0x7807C9A2 }
145_tbl[73] = { 0xF00F934 }
146_tbl[74] = { 0x9609A88E }
147_tbl[75] = { 0xE10E9818 }
148_tbl[76] = { 0x7F6A0DBB }
149_tbl[77] = { 0x86D3D2D }
150_tbl[78] = { 0x91646C97 }
151_tbl[79] = { 0xE6635C01 }
152_tbl[80] = { 0x6B6B51F4 }
153_tbl[81] = { 0x1C6C6162 }
154_tbl[82] = { 0x856530D8 }
155_tbl[83] = { 0xF262004E }
156_tbl[84] = { 0x6C0695ED }
157_tbl[85] = { 0x1B01A57B }
158_tbl[86] = { 0x8208F4C1 }
159_tbl[87] = { 0xF50FC457 }
160_tbl[88] = { 0x65B0D9C6 }
161_tbl[89] = { 0x12B7E950 }
162_tbl[90] = { 0x8BBEB8EA }
163_tbl[91] = { 0xFCB9887C }
164_tbl[92] = { 0x62DD1DDF }
165_tbl[93] = { 0x15DA2D49 }
166_tbl[94] = { 0x8CD37CF3 }
167_tbl[95] = { 0xFBD44C65 }
168_tbl[96] = { 0x4DB26158 }
169_tbl[97] = { 0x3AB551CE }
170_tbl[98] = { 0xA3BC0074 }
171_tbl[99] = { 0xD4BB30E2 }
172_tbl[100] = { 0x4ADFA541 }
173_tbl[101] = { 0x3DD895D7 }
174_tbl[102] = { 0xA4D1C46D }
175_tbl[103] = { 0xD3D6F4FB }
176_tbl[104] = { 0x4369E96A }
177_tbl[105] = { 0x346ED9FC }
178_tbl[106] = { 0xAD678846 }
179_tbl[107] = { 0xDA60B8D0 }
180_tbl[108] = { 0x44042D73 }
181_tbl[109] = { 0x33031DE5 }
182_tbl[110] = { 0xAA0A4C5F }
183_tbl[111] = { 0xDD0D7CC9 }
184_tbl[112] = { 0x5005713C }
185_tbl[113] = { 0x270241AA }
186_tbl[114] = { 0xBE0B1010 }
187_tbl[115] = { 0xC90C2086 }
188_tbl[116] = { 0x5768B525 }
189_tbl[117] = { 0x206F85B3 }
190_tbl[118] = { 0xB966D409 }
191_tbl[119] = { 0xCE61E49F }
192_tbl[120] = { 0x5EDEF90E }
193_tbl[121] = { 0x29D9C998 }
194_tbl[122] = { 0xB0D09822 }
195_tbl[123] = { 0xC7D7A8B4 }
196_tbl[124] = { 0x59B33D17 }
197_tbl[125] = { 0x2EB40D81 }
198_tbl[126] = { 0xB7BD5C3B }
199_tbl[127] = { 0xC0BA6CAD }
200_tbl[128] = { 0xEDB88320 }
201_tbl[129] = { 0x9ABFB3B6 }
202_tbl[130] = { 0x3B6E20C }
203_tbl[131] = { 0x74B1D29A }
204_tbl[132] = { 0xEAD54739 }
205_tbl[133] = { 0x9DD277AF }
206_tbl[134] = { 0x4DB2615 }
207_tbl[135] = { 0x73DC1683 }
208_tbl[136] = { 0xE3630B12 }
209_tbl[137] = { 0x94643B84 }
210_tbl[138] = { 0xD6D6A3E }
211_tbl[139] = { 0x7A6A5AA8 }
212_tbl[140] = { 0xE40ECF0B }
213_tbl[141] = { 0x9309FF9D }
214_tbl[142] = { 0xA00AE27 }
215_tbl[143] = { 0x7D079EB1 }
216_tbl[144] = { 0xF00F9344 }
217_tbl[145] = { 0x8708A3D2 }
218_tbl[146] = { 0x1E01F268 }
219_tbl[147] = { 0x6906C2FE }
220_tbl[148] = { 0xF762575D }
221_tbl[149] = { 0x806567CB }
222_tbl[150] = { 0x196C3671 }
223_tbl[151] = { 0x6E6B06E7 }
224_tbl[152] = { 0xFED41B76 }
225_tbl[153] = { 0x89D32BE0 }
226_tbl[154] = { 0x10DA7A5A }
227_tbl[155] = { 0x67DD4ACC }
228_tbl[156] = { 0xF9B9DF6F }
229_tbl[157] = { 0x8EBEEFF9 }
230_tbl[158] = { 0x17B7BE43 }
231_tbl[159] = { 0x60B08ED5 }
232_tbl[160] = { 0xD6D6A3E8 }
233_tbl[161] = { 0xA1D1937E }
234_tbl[162] = { 0x38D8C2C4 }
235_tbl[163] = { 0x4FDFF252 }
236_tbl[164] = { 0xD1BB67F1 }
237_tbl[165] = { 0xA6BC5767 }
238_tbl[166] = { 0x3FB506DD }
239_tbl[167] = { 0x48B2364B }
240_tbl[168] = { 0xD80D2BDA }
241_tbl[169] = { 0xAF0A1B4C }
242_tbl[170] = { 0x36034AF6 }
243_tbl[171] = { 0x41047A60 }
244_tbl[172] = { 0xDF60EFC3 }
245_tbl[173] = { 0xA867DF55 }
246_tbl[174] = { 0x316E8EEF }
247_tbl[175] = { 0x4669BE79 }
248_tbl[176] = { 0xCB61B38C }
249_tbl[177] = { 0xBC66831A }
250_tbl[178] = { 0x256FD2A0 }
251_tbl[179] = { 0x5268E236 }
252_tbl[180] = { 0xCC0C7795 }
253_tbl[181] = { 0xBB0B4703 }
254_tbl[182] = { 0x220216B9 }
255_tbl[183] = { 0x5505262F }
256_tbl[184] = { 0xC5BA3BBE }
257_tbl[185] = { 0xB2BD0B28 }
258_tbl[186] = { 0x2BB45A92 }
259_tbl[187] = { 0x5CB36A04 }
260_tbl[188] = { 0xC2D7FFA7 }
261_tbl[189] = { 0xB5D0CF31 }
262_tbl[190] = { 0x2CD99E8B }
263_tbl[191] = { 0x5BDEAE1D }
264_tbl[192] = { 0x9B64C2B0 }
265_tbl[193] = { 0xEC63F226 }
266_tbl[194] = { 0x756AA39C }
267_tbl[195] = { 0x26D930A }
268_tbl[196] = { 0x9C0906A9 }
269_tbl[197] = { 0xEB0E363F }
270_tbl[198] = { 0x72076785 }
271_tbl[199] = { 0x5005713 }
272_tbl[200] = { 0x95BF4A82 }
273_tbl[201] = { 0xE2B87A14 }
274_tbl[202] = { 0x7BB12BAE }
275_tbl[203] = { 0xCB61B38 }
276_tbl[204] = { 0x92D28E9B }
277_tbl[205] = { 0xE5D5BE0D }
278_tbl[206] = { 0x7CDCEFB7 }
279_tbl[207] = { 0xBDBDF21 }
280_tbl[208] = { 0x86D3D2D4 }
281_tbl[209] = { 0xF1D4E242 }
282_tbl[210] = { 0x68DDB3F8 }
283_tbl[211] = { 0x1FDA836E }
284_tbl[212] = { 0x81BE16CD }
285_tbl[213] = { 0xF6B9265B }
286_tbl[214] = { 0x6FB077E1 }
287_tbl[215] = { 0x18B74777 }
288_tbl[216] = { 0x88085AE6 }
289_tbl[217] = { 0xFF0F6A70 }
290_tbl[218] = { 0x66063BCA }
291_tbl[219] = { 0x11010B5C }
292_tbl[220] = { 0x8F659EFF }
293_tbl[221] = { 0xF862AE69 }
294_tbl[222] = { 0x616BFFD3 }
295_tbl[223] = { 0x166CCF45 }
296_tbl[224] = { 0xA00AE278 }
297_tbl[225] = { 0xD70DD2EE }
298_tbl[226] = { 0x4E048354 }
299_tbl[227] = { 0x3903B3C2 }
300_tbl[228] = { 0xA7672661 }
301_tbl[229] = { 0xD06016F7 }
302_tbl[230] = { 0x4969474D }
303_tbl[231] = { 0x3E6E77DB }
304_tbl[232] = { 0xAED16A4A }
305_tbl[233] = { 0xD9D65ADC }
306_tbl[234] = { 0x40DF0B66 }
307_tbl[235] = { 0x37D83BF0 }
308_tbl[236] = { 0xA9BCAE53 }
309_tbl[237] = { 0xDEBB9EC5 }
310_tbl[238] = { 0x47B2CF7F }
311_tbl[239] = { 0x30B5FFE9 }
312_tbl[240] = { 0xBDBDF21C }
313_tbl[241] = { 0xCABAC28A }
314_tbl[242] = { 0x53B39330 }
315_tbl[243] = { 0x24B4A3A6 }
316_tbl[244] = { 0xBAD03605 }
317_tbl[245] = { 0xCDD70693 }
318_tbl[246] = { 0x54DE5729 }
319_tbl[247] = { 0x23D967BF }
320_tbl[248] = { 0xB3667A2E }
321_tbl[249] = { 0xC4614AB8 }
322_tbl[250] = { 0x5D681B02 }
323_tbl[251] = { 0x2A6F2B94 }
324_tbl[252] = { 0xB40BBE37 }
325_tbl[253] = { 0xC30C8EA1 }
326_tbl[254] = { 0x5A05DF1B }
327_tbl[255] = { 0x2D02EF8D }
328
329
330 -- Calculate it
331 local ret = 0
332 for i,item in pairs(data) do
333 local tmp = band(ret, 0xFF)
334 local index = band( bxor(tmp, item), 0xFF)
335 ret = bxor(rshift(ret,8), _tbl[index][1])
336 end
337 return ret
338end
339---
340-- update checksum
341-- called: data is string, ( >= 24 hex digits )
342-- returns: string, (data concat new checksum)
343local function updateChecksum(data)
344 local part = data:sub(1,24)
345 local chksum = calculateChecksum( utils.ConvertHexToBytes(part))
346 return string.format("%s%X", part, chksum)
347end
348---
349-- receives the answer from deviceside, used with a readblock command
350local function waitCmd()
351 local response = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT)
352 if response then
353 local count,cmd,arg0 = bin.unpack('LL',response)
354 if(arg0==1) then
355 local count,arg1,arg2,data = bin.unpack('LLH511',response,count)
356 return data:sub(1,32)
357 else
358 return nil, "Couldn't read block.."
359 end
360 end
361 return nil, "No response from device"
362end
363
364local function selftest()
365 local testdata = '000F42430D0A14000001D11F'..'5D738517'
366 local chksum = getChecksum(testdata)
367 local calc = calculateChecksum( utils.ConvertHexToBytes(testdata:sub(1,24)))
368 print ('TESTDATA :: '..testdata)
369 print ('DATA :: '..testdata:sub(1,24))
370 print (('CHKSUM :: %X'):format(chksum))
371 print (('CHKSUM CALC :: %X'):format(calc))
372 print ('UPDATE CHKSUM :: '..updateChecksum(testdata))
373
374
375end
376---
377-- The main entry point
378-- -d decrypt
379-- -e encrypt
380-- -v validate
381function main(args)
382
383 local cmd, result, err, blockNo, keyA
384 local blocks = {}
385 local decryptkey = ''
386
387 -- Read the parameters
388 for o, a in getopt.getopt(args, 'hk:') do
389 if o == "h" then help() return end
390 if o == "k" then keyA = a end
391 end
392
393 selftest()
394
395 local tst2 = '00100100030209094312356432324E34B79A349B'
396
397 -- validate input args.
398 keyA = keyA or '6dd747e86975'
399 if #(keyA) ~= 12 then
400 return oops( string.format('Wrong length of write key (was %d) expected 12', #keyA))
401 end
402
403 -- Turn off Debug
404 local cmdSetDbgOff = "hf mf dbg 0"
405 core.console( cmdSetDbgOff)
406
407 -- GET TAG UID
408
409 result, err = lib14a.read1443a(false, true)
410 if not result then
411 return oops(err)
412 end
413
414 core.clearCommandBuffer()
415
416 print(result.uid, keyA)
417
418 local my = result.uid
419 if 1 == 1 then
420 return
421 end
422
423 -- Show tag info
424 print((' Found tag %s'):format(result.name))
425
426 local longrandom = RANDOM..result.uid
427 local res = utils.Sha1Hex(longrandom)
428 res = utils.ConvertBytesToHex(utils.ConvertAsciiToBytes(res:sub(1,16)))
429 decryptkey = utils.SwapEndiannessStr(res:sub(1,8) , 32)
430 decryptkey = decryptkey..utils.SwapEndiannessStr( res:sub(9,16),32)
431 decryptkey = decryptkey..utils.SwapEndiannessStr( res:sub(17,24),32)
432 decryptkey = decryptkey..utils.SwapEndiannessStr( res:sub(25,32),32)
433 print('Decrypt key::',decryptkey)
434 print('Reading card data')
435 print('Raw','Decrypted')
436 for blockNo = 0, numBlocks-1, 1 do
437
438 if core.ukbhit() then
439 print("aborted by user")
440 break
441 end
442
443 cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = blockNo ,arg2 = 0,arg3 = 0, data = keyA}
444 local err = core.SendCommand(cmd:getBytes())
445 if err then return oops(err) end
446 local blockdata, err = waitCmd()
447 if err then return oops(err) end
448
449 if blockNo%4 ~= 3 then
450
451 -- blocks with zero not encrypted.
452 if string.find(blockdata, '^0+$') then
453 print(blockdata, blockdata)
454 else
455 local aes = core.aes128_decrypt_ecb(decryptkey, blockdata)
456 local bytes = utils.ConvertAsciiToBytes(aes)
457 local hex = utils.ConvertBytesToHex(bytes)
458 print(blockdata , hex)
459 end
460 elseif blockNo == 0 then
461 print(blockdata,blockdata)
462 else
463 -- Sectorblocks, not encrypted
464 local sectortrailer = keyA..blockdata:sub(13,20)..keyA
465 print(sectortrailer, sectortrailer, blockdata:sub(13,20))
466 end
467 end
468 -- checksum fyra sista bytes i varje rad. (kanske inte för s0)
469 -- s0b1,s1b0,s2b0,s3b0
470 --
471end
472
473main(args)
Impressum, Datenschutz