X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/7b47fa9b3de06f85be30391da013b2b031513cec..2e78fbaa1d62a89689fd12048db7e0b6be696a5e:/client/scripts/tnp3clone.lua diff --git a/client/scripts/tnp3clone.lua b/client/scripts/tnp3clone.lua index 011e0a57..e87c338e 100644 --- a/client/scripts/tnp3clone.lua +++ b/client/scripts/tnp3clone.lua @@ -3,6 +3,7 @@ local getopt = require('getopt') local lib14a = require('read14a') local utils = require('utils') local pre = require('precalc') +local toys = require('default_toys') local lsh = bit32.lshift local rsh = bit32.rshift @@ -10,19 +11,30 @@ local bor = bit32.bor local band = bit32.band example =[[ - script run tnp3dump - script run tnp3dump -h - script run tnp3dump -t aa00 + script run tnp3clone + script run tnp3clone -h + script run tnp3clone -l + script run tnp3clone -t aa00 -s 0030 ]] author = "Iceman" -usage = "script run tnp3clone -t " +usage = "script run tnp3clone -t -s " desc =[[ This script will try making a barebone clone of a tnp3 tag on to a magic generation1 card. Arguments: -h : this help - -k : toytype id, 4 hex symbols. + -l : list all known toy tokens + -t : toytype id, 4hex symbols + -s : subtype id, 4hex symbols + + For fun, try the following subtype id: + 0612 - Lightcore + 0118 - Series 1 + 0138 - Series 2 + 0234 - Special + 023c - Special + 0020 - Swapforce ]] @@ -64,7 +76,7 @@ local function readmagicblock( blocknum ) -- Read block 0 local CSETBLOCK_SINGLE_OPERATION = 0x1F cmd = Command:new{cmd = cmds.CMD_MIFARE_CGETBLOCK, arg1 = CSETBLOCK_SINGLE_OPERATION, arg2 = 0, arg3 = blocknum} - err = core.SendCommand(cmd:getBytes()) + err = core.SendCommand(cmd:getBytes()) if err then return nil, err end local block0, err = waitCmd() if err then return nil, err end @@ -73,29 +85,46 @@ end local function main(args) + print( string.rep('--',20) ) + print( string.rep('--',20) ) + local numBlocks = 64 local cset = 'hf mf csetbl ' + local csetuid = 'hf mf csetuid ' local cget = 'hf mf cgetbl ' local empty = '00000000000000000000000000000000' local AccAndKeyB = '7F078869000000000000' -- Defaults to Gusto local toytype = 'C201' + local subtype = '0030' + local DEBUG = true -- Arguments for the script - for o, a in getopt.getopt(args, 'ht:') do + for o, a in getopt.getopt(args, 'ht:s:l') do if o == "h" then return help() end if o == "t" then toytype = a end + if o == "s" then subtype = a end + if o == "l" then return toys.List() end end - - if #toytype ~= 4 then return oops('Wrong size in toytype. (4hex symbols)') end + + if #toytype ~= 4 then return oops('Wrong size - toytype. (4hex symbols)') end + if #subtype ~= 4 then return oops('Wrong size - subtype. (4hex symbols)') end + + -- look up type, find & validate types + local item = toys.Find( toytype, subtype) + if item then + print( (' Looking up input: Found %s - %s (%s)'):format(item[6],item[5], item[4]) ) + else + print('Didn\'t find item type. If you are sure about it, report it in') + end + --15,16 + --13-14 + -- find tag result, err = lib14a.read1443a(false) if not result then return oops(err) end - -- Show tag info - print((' Found tag %s'):format(result.name)) - -- load keys local akeys = pre.GetAll(result.uid) local keyA = akeys:sub(1, 12 ) @@ -109,24 +138,28 @@ local function main(args) return oops('failed reading block with chinese magic command. quitting...') end end - local b1 = toytype..'000000000000000000000000' + + -- wipe card. + local cmd = (csetuid..'%s 0004 08 w'):format(result.uid) + core.console(cmd) + + local b1 = toytype..string.rep('00',10)..subtype local calc = utils.Crc16(b0..b1) local calcEndian = bor(rsh(calc,8), lsh(band(calc, 0xff), 8)) local cmd = (cset..'1 %s%04x'):format( b1, calcEndian) - core.console( cmd) + core.console(cmd) local pos, key for blockNo = 2, numBlocks-1, 1 do pos = (math.floor( blockNo / 4 ) * 12)+1 key = akeys:sub(pos, pos + 11 ) - if blockNo%4 ~= 3 then - cmd = ('%s %d %s'):format(cset,blockNo,empty) - else + if blockNo%4 == 3 then cmd = ('%s %d %s%s'):format(cset,blockNo,key,AccAndKeyB) - end - core.console(cmd) + core.console(cmd) + end end + core.clearCommandBuffer() end main(args) \ No newline at end of file