]> git.zerfleddert.de Git - proxmark3-svn/blob - client/scripts/tnp3clone.lua
hf mfu info bugs
[proxmark3-svn] / client / scripts / tnp3clone.lua
1 local cmds = require('commands')
2 local getopt = require('getopt')
3 local lib14a = require('read14a')
4 local utils = require('utils')
5 local pre = require('precalc')
6 local toys = require('default_toys')
7
8 local lsh = bit32.lshift
9 local rsh = bit32.rshift
10 local bor = bit32.bor
11 local band = bit32.band
12
13 example =[[
14 script run tnp3clone
15 script run tnp3clone -h
16 script run tnp3clone -t aa00 -s 0030
17
18 ]]
19 author = "Iceman"
20 usage = "script run tnp3clone -t <toytype> -s <subtype>"
21 desc =[[
22 This script will try making a barebone clone of a tnp3 tag on to a magic generation1 card.
23
24 Arguments:
25 -h : this help
26 -t <data> : toytype id, 4hex symbols.
27 -s <data> : subtype id, 4hex symbols
28
29 For fun, try the following subtype id:
30 0612 - Lightcore
31 0118 - Series 1
32 0138 - Series 2
33 0234 - Special
34 023c - Special
35
36 ]]
37
38
39 -- This is only meant to be used when errors occur
40 function oops(err)
41 print("ERROR: ",err)
42 end
43 -- Usage help
44 function help()
45 print(desc)
46 print("Example usage")
47 print(example)
48 end
49
50 local function waitCmd()
51 local response = core.WaitForResponseTimeout(cmds.CMD_ACK,2000)
52 if response then
53 local count,cmd,arg0 = bin.unpack('LL',response)
54 if(arg0==1) then
55 local count,arg1,arg2,data = bin.unpack('LLH511',response,count)
56 return data:sub(1,32)
57 else
58 return nil, "Couldn't read block."
59 end
60 end
61 return nil, "No response from device"
62 end
63
64 local function readblock( blocknum, keyA )
65 -- Read block 0
66 cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = blocknum, arg2 = 0, arg3 = 0, data = keyA}
67 err = core.SendCommand(cmd:getBytes())
68 if err then return nil, err end
69 local block0, err = waitCmd()
70 if err then return nil, err end
71 return block0
72 end
73 local function readmagicblock( blocknum )
74 -- Read block 0
75 local CSETBLOCK_SINGLE_OPERATION = 0x1F
76 cmd = Command:new{cmd = cmds.CMD_MIFARE_CGETBLOCK, arg1 = CSETBLOCK_SINGLE_OPERATION, arg2 = 0, arg3 = blocknum}
77 err = core.SendCommand(cmd:getBytes())
78 if err then return nil, err end
79 local block0, err = waitCmd()
80 if err then return nil, err end
81 return block0
82 end
83
84 local function main(args)
85
86 print( string.rep('--',20) )
87 print( string.rep('--',20) )
88
89 local numBlocks = 64
90 local cset = 'hf mf csetbl '
91 local csetuid = 'hf mf csetuid '
92 local cget = 'hf mf cgetbl '
93 local empty = '00000000000000000000000000000000'
94 local AccAndKeyB = '7F078869000000000000'
95 -- Defaults to Gusto
96 local toytype = 'C201'
97 local subtype = '0030'
98 local DEBUG = true
99
100 -- Arguments for the script
101 for o, a in getopt.getopt(args, 'ht:s:') do
102 if o == "h" then return help() end
103 if o == "t" then toytype = a end
104 if o == "s" then subtype = a end
105 end
106
107 if #toytype ~= 4 then return oops('Wrong size - toytype. (4hex symbols)') end
108 if #subtype ~= 4 then return oops('Wrong size - subtype. (4hex symbols)') end
109
110 -- look up type, find & validate types
111 local item = toys.Find( toytype, subtype)
112 if item then
113 print( (' Looking up input: Found %s - %s (%s)'):format(item[6],item[5], item[4]) )
114 else
115 print('Didn\'t find item type. If you are sure about it, report it in')
116 end
117 --15,16
118 --13-14
119
120
121 -- find tag
122 result, err = lib14a.read1443a(false)
123 if not result then return oops(err) end
124
125 -- load keys
126 local akeys = pre.GetAll(result.uid)
127 local keyA = akeys:sub(1, 12 )
128
129 local b0 = readblock(0,keyA)
130 if not b0 then
131 print('failed reading block with factorydefault key. Trying chinese magic read.')
132 b0, err = readmagicblock(0)
133 if not b0 then
134 oops(err)
135 return oops('failed reading block with chinese magic command. quitting...')
136 end
137 end
138
139 -- wipe card.
140 local cmd = (csetuid..'%s 0004 08 w'):format(result.uid)
141 core.console(cmd)
142
143 local b1 = toytype..'00000000000000000000'..subtype
144 local calc = utils.Crc16(b0..b1)
145 local calcEndian = bor(rsh(calc,8), lsh(band(calc, 0xff), 8))
146
147 local cmd = (cset..'1 %s%04x'):format( b1, calcEndian)
148 core.console(cmd)
149
150 local pos, key
151 for blockNo = 2, numBlocks-1, 1 do
152 pos = (math.floor( blockNo / 4 ) * 12)+1
153 key = akeys:sub(pos, pos + 11 )
154 if blockNo%4 == 3 then
155 cmd = ('%s %d %s%s'):format(cset,blockNo,key,AccAndKeyB)
156 core.console(cmd)
157 end
158 end
159 core.clearCommandBuffer()
160 end
161 main(args)
Impressum, Datenschutz