]>
Commit | Line | Data |
---|---|---|
224ce36e | 1 | local cmds = require('commands') |
2 | local getopt = require('getopt') | |
3 | local lib14a = require('read14a') | |
4 | local utils = require('utils') | |
5 | local pre = require('precalc') | |
411105e0 | 6 | local toys = require('default_toys') |
224ce36e | 7 | |
8 | local lsh = bit32.lshift | |
9 | local rsh = bit32.rshift | |
10 | local bor = bit32.bor | |
11 | local band = bit32.band | |
12 | ||
13 | example =[[ | |
411105e0 | 14 | script run tnp3clone |
15 | script run tnp3clone -h | |
16 | script run tnp3clone -t aa00 -s 0030 | |
224ce36e | 17 | |
18 | ]] | |
19 | author = "Iceman" | |
411105e0 | 20 | usage = "script run tnp3clone -t <toytype> -s <subtype>" |
224ce36e | 21 | desc =[[ |
22 | This script will try making a barebone clone of a tnp3 tag on to a magic generation1 card. | |
23 | ||
24 | Arguments: | |
25 | -h : this help | |
411105e0 | 26 | -t <data> : toytype id, 4hex symbols. |
27 | -s <data> : subtype id, 4hex symbols | |
8e0cf023 | 28 | |
29 | For fun, try the following subtype id: | |
30 | 0612 - Lightcore | |
31 | 0118 - Series 1 | |
32 | 0138 - Series 2 | |
33 | 0234 - Special | |
34 | 023c - Special | |
35 | ||
224ce36e | 36 | ]] |
37 | ||
38 | ||
39 | -- This is only meant to be used when errors occur | |
40 | function oops(err) | |
41 | print("ERROR: ",err) | |
42 | end | |
43 | -- Usage help | |
44 | function help() | |
45 | print(desc) | |
46 | print("Example usage") | |
47 | print(example) | |
48 | end | |
49 | ||
50 | local function waitCmd() | |
51 | local response = core.WaitForResponseTimeout(cmds.CMD_ACK,2000) | |
52 | if response then | |
53 | local count,cmd,arg0 = bin.unpack('LL',response) | |
54 | if(arg0==1) then | |
55 | local count,arg1,arg2,data = bin.unpack('LLH511',response,count) | |
56 | return data:sub(1,32) | |
57 | else | |
58 | return nil, "Couldn't read block." | |
59 | end | |
60 | end | |
61 | return nil, "No response from device" | |
62 | end | |
63 | ||
64 | local function readblock( blocknum, keyA ) | |
65 | -- Read block 0 | |
66 | cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = blocknum, arg2 = 0, arg3 = 0, data = keyA} | |
67 | err = core.SendCommand(cmd:getBytes()) | |
68 | if err then return nil, err end | |
69 | local block0, err = waitCmd() | |
70 | if err then return nil, err end | |
71 | return block0 | |
72 | end | |
73 | local function readmagicblock( blocknum ) | |
74 | -- Read block 0 | |
75 | local CSETBLOCK_SINGLE_OPERATION = 0x1F | |
76 | cmd = Command:new{cmd = cmds.CMD_MIFARE_CGETBLOCK, arg1 = CSETBLOCK_SINGLE_OPERATION, arg2 = 0, arg3 = blocknum} | |
77 | err = core.SendCommand(cmd:getBytes()) | |
78 | if err then return nil, err end | |
79 | local block0, err = waitCmd() | |
80 | if err then return nil, err end | |
81 | return block0 | |
82 | end | |
83 | ||
84 | local function main(args) | |
85 | ||
411105e0 | 86 | print( string.rep('--',20) ) |
87 | print( string.rep('--',20) ) | |
88 | ||
224ce36e | 89 | local numBlocks = 64 |
90 | local cset = 'hf mf csetbl ' | |
411105e0 | 91 | local csetuid = 'hf mf csetuid ' |
224ce36e | 92 | local cget = 'hf mf cgetbl ' |
93 | local empty = '00000000000000000000000000000000' | |
94 | local AccAndKeyB = '7F078869000000000000' | |
95 | -- Defaults to Gusto | |
96 | local toytype = 'C201' | |
411105e0 | 97 | local subtype = '0030' |
98 | local DEBUG = true | |
224ce36e | 99 | |
100 | -- Arguments for the script | |
411105e0 | 101 | for o, a in getopt.getopt(args, 'ht:s:') do |
224ce36e | 102 | if o == "h" then return help() end |
103 | if o == "t" then toytype = a end | |
411105e0 | 104 | if o == "s" then subtype = a end |
224ce36e | 105 | end |
106 | ||
411105e0 | 107 | if #toytype ~= 4 then return oops('Wrong size - toytype. (4hex symbols)') end |
108 | if #subtype ~= 4 then return oops('Wrong size - subtype. (4hex symbols)') end | |
109 | ||
110 | -- look up type, find & validate types | |
111 | local item = toys.Find( toytype, subtype) | |
112 | if item then | |
113 | print( (' Looking up input: Found %s - %s (%s)'):format(item[6],item[5], item[4]) ) | |
114 | else | |
115 | print('Didn\'t find item type. If you are sure about it, report it in') | |
116 | end | |
117 | --15,16 | |
118 | --13-14 | |
119 | ||
224ce36e | 120 | |
121 | -- find tag | |
122 | result, err = lib14a.read1443a(false) | |
123 | if not result then return oops(err) end | |
124 | ||
224ce36e | 125 | -- load keys |
126 | local akeys = pre.GetAll(result.uid) | |
127 | local keyA = akeys:sub(1, 12 ) | |
128 | ||
129 | local b0 = readblock(0,keyA) | |
130 | if not b0 then | |
131 | print('failed reading block with factorydefault key. Trying chinese magic read.') | |
132 | b0, err = readmagicblock(0) | |
133 | if not b0 then | |
134 | oops(err) | |
135 | return oops('failed reading block with chinese magic command. quitting...') | |
136 | end | |
137 | end | |
138 | ||
139 | -- wipe card. | |
411105e0 | 140 | local cmd = (csetuid..'%s 0004 08 w'):format(result.uid) |
224ce36e | 141 | core.console(cmd) |
224ce36e | 142 | |
411105e0 | 143 | local b1 = toytype..'00000000000000000000'..subtype |
224ce36e | 144 | local calc = utils.Crc16(b0..b1) |
145 | local calcEndian = bor(rsh(calc,8), lsh(band(calc, 0xff), 8)) | |
146 | ||
147 | local cmd = (cset..'1 %s%04x'):format( b1, calcEndian) | |
148 | core.console(cmd) | |
149 | ||
150 | local pos, key | |
151 | for blockNo = 2, numBlocks-1, 1 do | |
152 | pos = (math.floor( blockNo / 4 ) * 12)+1 | |
153 | key = akeys:sub(pos, pos + 11 ) | |
154 | if blockNo%4 == 3 then | |
155 | cmd = ('%s %d %s%s'):format(cset,blockNo,key,AccAndKeyB) | |
156 | core.console(cmd) | |
157 | end | |
158 | end | |
159 | core.clearCommandBuffer() | |
160 | end | |
161 | main(args) |