From: iceman1001 <iceman@iuse.se>
Date: Sun, 9 Nov 2014 16:22:04 +0000 (+0100)
Subject: Updated tnp3.lua
X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/22f1c57786097d373e6d4706588b5d9e9a09e8e5
Updated tnp3.lua
added some possibilities to abort the "hf mf nested" command
added a rudimentary items identification for tnp3xxx
---
diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c
index 7e3e9293..0d1fb77a 100644
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@@ -76,7 +76,7 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// ----------------------------- crypto1 destroy
crypto1_destroy(pcs);
- if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
+ if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
LED_B_ON();
cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
@@ -558,6 +558,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
// statistics on nonce distance
if (calibrate) { // for first call only. Otherwise reuse previous calibration
LED_B_ON();
+ WDT_HIT();
davg = dmax = 0;
dmin = 2000;
@@ -596,10 +597,10 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
continue;
};
- nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
- for (i = 101; i < 1200; i++) {
+ nttmp = prng_successor(nt1, 140); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160
+ for (i = 141; i < 1200; i++) {
nttmp = prng_successor(nttmp, 1);
- if (nttmp == nt2) break;
+ if (nttmp == nt2) {break;}
}
if (i != 1200) {
@@ -615,7 +616,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
}
}
- if (rtr <= 1) return;
+ if (rtr <= 1) return;
davg = (davg + (rtr - 1)/2) / (rtr - 1);
@@ -634,9 +635,18 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
// get crypted nonces for target sector
for(i=0; i < 2; i++) { // look for exactly two different nonces
+ WDT_HIT();
+ if(BUTTON_PRESS()) {
+ DbpString("Nested: cancelled");
+ crypto1_destroy(pcs);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LEDsoff();
+ return;
+ }
+
target_nt[i] = 0;
while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
-
+
// prepare next select. No need to power down the card.
if(mifare_classic_halt(pcs, cuid)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");
@@ -697,15 +707,15 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);
}
}
-
+
LED_C_OFF();
// ----------------------------- crypto1 destroy
crypto1_destroy(pcs);
// add trace trailer
- memset(uid, 0x44, 4);
- LogTrace(uid, 4, 0, 0, TRUE);
+// memset(uid, 0x44, 4);
+// LogTrace(uid, 4, 0, 0, TRUE);
byte_t buf[4 + 4 * 4];
memcpy(buf, &cuid, 4);
diff --git a/client/.history b/client/.history
index e20a63e0..d781126a 100644
--- a/client/.history
+++ b/client/.history
@@ -9,3 +9,86 @@ lf t55xx rd 2
lf em4x 410xsim 124s
lf em4x 410xsim 0F0368568B
da pl
+scr run sky
+script list
+scr run mifare_autopwn
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3 -n
+scr run tnp3
+scr run tnp3 -n
+hf mf nested 0 a 4b0b20107ccb d
+hf mf nested 1 0 a 4b0b20107ccb d
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3 -n
+scr run tnp3
+hf mf nested 1 0 a 4b0b20107ccb d
+scr run tnp3
diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index 1d2de683..8a48c19c 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -36,7 +36,6 @@ start:
//flush queue
while (ukbhit()) getchar();
-
// wait cycle
while (true) {
printf(".");
@@ -848,9 +847,7 @@ int CmdHF14AMfNested(const char *Cmd)
if (ctmp != 'A' && ctmp != 'a')
trgKeyType = 1;
} else {
-
-
-
+
switch (cmdp) {
case '0': SectorsCnt = 05; break;
case '1': SectorsCnt = 16; break;
@@ -935,20 +932,26 @@ int CmdHF14AMfNested(const char *Cmd)
}
}
-
// nested sectors
iterations = 0;
PrintAndLog("nested...");
bool calibrate = true;
for (i = 0; i < NESTED_SECTOR_RETRY; i++) {
for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
+
+ if (ukbhit()) {
+ printf("\naborted via keyboard!\n");
+ free(e_sector);
+ return 2;
+ }
+
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) {
if (e_sector[sectorNo].foundKey[trgKeyType]) continue;
PrintAndLog("-----------------------------------------------");
if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {
PrintAndLog("Nested error.\n");
- return 2;
- }
+ free(e_sector);
+ return 2; }
else {
calibrate = false;
}
@@ -1018,10 +1021,9 @@ int CmdHF14AMfNested(const char *Cmd)
}
fclose(fkeys);
}
-
+
free(e_sector);
}
-
return 0;
}
diff --git a/client/lualibs/default_toys.lua b/client/lualibs/default_toys.lua
new file mode 100644
index 00000000..abb56515
--- /dev/null
+++ b/client/lualibs/default_toys.lua
@@ -0,0 +1,63 @@
+local _names = {
+ --[[
+ --]]
+ ["0400"]="BASH",
+ ["1600"]="BOOMER" ,
+ ["1800"]="CAMO",
+ ["3000"]="CHOPCHOP" ,
+ ["2000"]="CYNDER",
+ ["6400"]="JET-VAC",
+ ["6700"]="FLASHWING",
+ ["7000"]="TREE REX",
+ ["7100"]="LIGHTCORE SHROOMBOOM",
+ ["1C00"]="DARK SPYRO",
+ ["0600"]="DINORANG" ,
+ ["1200"]="DOUBLE TROUBLE" ,
+ ["1500"]="DRILLSERGEANT" ,
+ ["1400"]="DROBOT",
+ ["0900"]="LIGHTCORE ERUPTOR" ,
+ ["0B00"]="FLAMESLINGER" ,
+ ["1F00"]="GHOST ROASTER",
+ ["0E00"]="GILL GRUNT" ,
+ ["1D00"]="HEX",
+ ["0A00"]="IGNITOR",
+ ["0300"]="LIGHTNINGROD",
+ ["0700"]="LIGHTCORE PRISM BREAK",
+ ["1500"]="SLAMBAM",
+ ["0100"]="SONIC BOOM",
+ ["1000"]="SPYRO",
+ ["1A00"]="STEALTH ELF",
+ ["1B00"]="STUMP SMASH",
+ ["0800"]="SUNBURN",
+ ["0500"]="TERRAFIN",
+ ["1300"]="TRIGGER HAPPY",
+ ["1100"]="VOODOOD",
+ ["0200"]="WARNADO",
+ ["0D00"]="WHAM SHELL",
+ ["0000"]="WHIRLWIND",
+ ["1700"]="WRECKING BALL",
+ ["0C00"]="ZAP",
+ ["1900"]="ZOOK",
+ ["0300"]="DRAGON",
+ ["012D"]="ICE",
+ ["012E"]="PIRATE",
+ ["0130"]="PVPUNLOCK",
+ ["012F"]="UNDEAD",
+ ["0200"]="ANVIL" ,
+ ["CB00"]="CROSSED SWORDS",
+ ["CC00"]="HOURGLASS",
+ ["CA00"]="REGENERATION",
+ ["C900"]="SECRET STASH",
+ ["CD00"]="SHIELD",
+ ["CF00"]="SPARX",
+ ["CE00"]="SPEED BOOTS",
+ ["0194"]="LEGENDARY BASH",
+ ["0430"]="LEGENDARY CHOPCHOP",
+ ["01A0"]="LEGENDARY SPYRO",
+ ["01A3"]="LEGENDARY TRIGGER HAPPY",
+ ["0202"]="PET GILL GRUNT",
+ ["020E"]="PET STEALTH ELF",
+ ["01F9"]="PET TERRAFIN",
+ ["0207"]="PET TRIGGER HAPPY",
+}
+return _names
diff --git a/client/mifarehost.c b/client/mifarehost.c
index ed62bcee..cda884d9 100644
--- a/client/mifarehost.c
+++ b/client/mifarehost.c
@@ -26,8 +26,6 @@ int compar_int(const void * a, const void * b) {
else return -1;
}
-
-
// Compare 16 Bits out of cryptostate
int Compare16Bits(const void * a, const void * b) {
if ((*(uint64_t*)b & 0x00ff000000ff0000) == (*(uint64_t*)a & 0x00ff000000ff0000)) return 0;
@@ -35,7 +33,6 @@ int Compare16Bits(const void * a, const void * b) {
else return -1;
}
-
typedef
struct {
union {
@@ -70,15 +67,11 @@ void* nested_worker_thread(void *arg)
return statelist->head.slhead;
}
-
-
-
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate)
{
uint16_t i, len;
uint32_t uid;
UsbCommand resp;
-
StateList_t statelists[2];
struct Crypto1State *p1, *p2, *p3, *p4;
diff --git a/client/scripts/tnp3.lua b/client/scripts/tnp3.lua
index 4e8ca77b..56d0b486 100644
--- a/client/scripts/tnp3.lua
+++ b/client/scripts/tnp3.lua
@@ -4,6 +4,7 @@ local bin = require('bin')
local lib14a = require('read14a')
local utils = require('utils')
local md5 = require('md5')
+local toyNames = require('default_toys')
example =[[
1. script run tnp3
@@ -92,8 +93,8 @@ end
local function main(args)
print( string.rep('--',20) )
- print( string.rep('--',20) )
- print()
+ --print( string.rep('--',20) )
+ --print()
local keyA
local cmd
@@ -114,27 +115,30 @@ local function main(args)
if #(keyA) ~= 12 then
return oops( string.format('Wrong length of write key (was %d) expected 12', #keyA))
end
+
+ -- Turn off Debug
+ local cmdSetDbgOff = "hf mf dbg 0"
+ core.console( cmdSetDbgOff)
result, err = lib14a.read1443a(false)
if not result then
return oops(err)
end
- print((' Found tag : %s'):format(result.name))
-
core.clearCommandBuffer()
if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
return oops('This is not a TNP3xxx tag. aborting.')
end
+ print((' Found tag : %s'):format(result.name))
+
-- Show info
print(('Using keyA : %s'):format(keyA))
print( string.rep('--',20) )
-
+ --Trying to find the other keys
if useNested then
- print('Trying to find keys.')
core.console( ('hf mf nested 1 0 A %s d'):format(keyA) )
end
@@ -165,6 +169,8 @@ local function main(args)
local blockNo
local blocks = {}
+ print('Reading card data')
+
-- main loop
for blockNo = 0, numBlocks-1, 1 do
@@ -188,8 +194,7 @@ local function main(args)
-- Block 0-7 not encrypted
blocks[blockNo+1] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata)
else
- local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant)
- local md5hash = md5.sumhexa(base)
+ local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant) local md5hash = md5.sumhexa(base)
local aestest = core.aes(md5hash, blockdata)
local _,hex = bin.unpack(("H%d"):format(16),aestest)
@@ -215,6 +220,12 @@ local function main(args)
end
-- Print results
+ local uid = block0:sub(1,8)
+ local itemtype = block1:sub(1,4)
+ local cardid = block1:sub(9,24)
+ print( (' UID : %s'):format(uid) )
+ print( (' ITEM TYPE : %s - %s'):format(itemtype, toyNames[itemtype]) )
+ print( (' CARDID : %s'):format(cardid ) )
print('BLK :: DATA DECRYPTED' )
print( string.rep('--',36) )
for _,s in pairs(blocks) do