[proxmark3-svn] / client / scripts / mfkeys.lua

--[[
	This is an example of Lua-scripting within proxmark3. This is a lua-side
	implementation of hf mf chk  

	This code is licensed to you under the terms of the GNU GPL, version 2 or,
	at your option, any later version. See the LICENSE.txt file for the text of
	the license.
	
	Copyright (C) 2013 m h swende <martin at swende.se>
--]]
-- Loads the commands-library
local cmds = require('commands')
-- Load the default keys
local keys = require('mf_default_keys')
-- Ability to read what card is there
local reader = require('read14a')
local getopt = require('getopt')

local OR = bit32.bor
local LSHIFT = bit32.lshift

example =[[
	 script run mfkeys
]]
author = "Iceman"
usage = "script run mfkeys"
desc = ("This script implements Mifare check keys. It utilises a large list of default keys (currently %d keys).\
If you want to add more, just put them inside /lualibs/mf_default_keys.lua\n"):format(#keys) ..
[[

Arguments:
	-h             : this help
]]

local TIMEOUT = 10000 -- 10 seconds
--- 
-- Usage help
function help()
	print(desc)
	print("Example usage")
	print(example)
end
	
--[[This may be moved to a separate library at some point]]
local utils = 
{
	--- 
	-- Asks the user for Yes or No
	confirm = function(message, ...)
		local answer
		message = message .. " [y]/[n] ?"
		repeat
			io.write(message)
			io.flush()
			answer=io.read()
			if answer == 'Y' or answer == "y" then
				return true
			elseif answer == 'N' or answer == 'n' then 
				return false
			end
		until false
	end,
	---
	-- Asks the user for input
	input = function (message , default)
		local answer
		if default ~= nil then
			message = message .. " (default: ".. default.. " )"
		end
		message = message .." \n > "
		io.write(message)
		io.flush()
		answer=io.read()
		if answer == '' then answer = default end

		return answer
	end,
}


local function checkCommand(command)

	--print("Sending this command : " .. tostring(command))
	local usbcommand = command:getBytes()
	core.SendCommand(usbcommand)
	local result = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT)
	if result then
		local count,cmd,arg0 = bin.unpack('LL',result)
		if(arg0==1) then
			local count,arg1,arg2,data = bin.unpack('LLH511',result,count)
			key = data:sub(1,12)
			return key
		else
			--print("Key not found...")
			return nil
		end
	else
		print("Timeout while waiting for response. Increase TIMEOUT in keycheck.lua to wait longer")
		return nil, "Timeout while waiting for device to respond"
	end
end

function checkBlock(blockNo, keys, keyType)
	-- The command data is only 512 bytes, each key is 6 bytes, meaning that we can send max 85 keys in one go. 
	-- If there's more, we need to split it up
	local start, remaining= 1, #keys
	local packets = {}
	while remaining > 0 do
		local n,data = remaining, nil
		if remaining > 85 then n = 85 end
		local data = table.concat(keys,"",start,n)
		print(("Testing block %d, keytype %d, with %d keys"):format(blockNo, keyType, n))
		local command = Command:new{cmd = cmds.CMD_MIFARE_CHKKEYS, 
								arg1 =  OR(blockNo, LSHIFT(keyType,8) ),
								arg2 = 0, 
								arg3 = n, 
								data = data}
		local status = checkCommand(command)
		if status then return status, blockNo end
		start = start+n+1
		remaining = remaining - n
	end
	return nil
end

-- A function to display the results
-- TODO: iceman 2016,  still screws up output when a key is not found.
local function displayresults(results)
	local sector, blockNo, keyA, keyB,_

	print("|---|----------------|---|----------------|---|")
	print("|sec|key A           |res|key B           |res|")
	print("|---|----------------|---|----------------|---|")

	for sector,_ in pairs(results) do
		blockNo, keyA, keyB = unpack(_)
		print(("|%03d|  %s  | 1 |  %s  | 1 |"):format(sector, keyA, keyB ))
	end
	print("|---|----------------|---|----------------|---|")

end
-- A little helper to place an item first in the list
local function placeFirst(akey, list)
	akey  = akey:lower()
	if list[1] == akey then 
		-- Already at pole position
		return list
	end
	local result = {akey}
	--print(("Putting '%s' first"):format(akey))
	for i,v in ipairs(list) do
		if v ~= akey then 
			result[#result+1] = v
		end
	end
	return result
end
local function dumptofile(results)
	local sector, blockNo, keyA, keyB,_

	if utils.confirm("Do you wish to save the keys to dumpfile?") then 
		local destination = utils.input("Select a filename to store to", "dumpkeys.bin")
		local file = io.open(destination, "w")
		if file == nil then 
			print("Could not write to file ", destination)
			return
		end

		local key_a = ""
		local key_b = ""
		
		for sector,_ in pairs(results) do
			blockNo, keyA, keyB = unpack(_)
			key_a = key_a .. bin.pack("H",keyA);
			key_b = key_b .. bin.pack("H",keyB);
		end
		file:write(key_a)
		file:write(key_b)
		file:close()
	end
end

local function main( args)

	-- Arguments for the script
	for o, a in getopt.getopt(args, 'h') do
		if o == "h" then return help() end			
	end
	
	result, err = reader.read1443a()
	if not result then
		print(err)
		return
	end

	print(("Found a %s tag"):format(result.name))

	core.clearCommandBuffer()
	local blockNo
	local keyType = 0 -- A=0, B=1
	local numSectors = 16 

	if 0x18 == result.sak then --NXP MIFARE Classic 4k | Plus 4k
		-- IFARE Classic 4K offers 4096 bytes split into forty sectors, 
		-- of which 32 are same size as in the 1K with eight more that are quadruple size sectors. 
		numSectors = 40
	elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k | Plus 2k
		-- 1K offers 1024 bytes of data storage, split into 16 sector
		numSectors = 16
	elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k
		-- MIFARE Classic mini offers 320 bytes split into five sectors.
		numSectors = 5
	elseif  0x10 == result.sak then-- "NXP MIFARE Plus 2k"
		numSectors = 32
	else
		print("I don't know how many sectors there are on this type of card, defaulting to 16")
	end

	result = {}
	for sector=1,numSectors,1 do

		--[[
		The mifare Classic 1k card has 16 sectors of 4 data blocks each. 
		The first 32 sectors of a mifare Classic 4k card consists of 4 data blocks and the remaining
		8 sectors consist of 16 data blocks. 
		--]]
		local blockNo = sector * 4 -1 
		
		if sector > 32 then
			blockNo = 32*4+ (sector-32)*16 -1
		end

		local keyA = checkBlock(blockNo, keys, 0)
		if keyA then keys  = placeFirst(keyA, keys) end
		keyA = keyA or ""

		local keyB = checkBlock(blockNo, keys, 1)
		if keyB then keys  = placeFirst(keyB, keys) end
		keyB = keyB or ""

		result[sector] = {blockNo, keyA, keyB }

		-- Check if user aborted
		if core.ukbhit() then
			print("Aborted by user")
			break
		end
	end
	displayresults(result)
	dumptofile(result)
end

main( args)
Commit	Line	Data
16b04cb2	1	--[[
	2	This is an example of Lua-scripting within proxmark3. This is a lua-side
	3	implementation of hf mf chk
	4
	5	This code is licensed to you under the terms of the GNU GPL, version 2 or,
	6	at your option, any later version. See the LICENSE.txt file for the text of
	7	the license.
	8
	9	Copyright (C) 2013 m h swende <martin at swende.se>
05ed5c49	10	--]]
16b04cb2	11	-- Loads the commands-library
	12	local cmds = require('commands')
	13	-- Load the default keys
	14	local keys = require('mf_default_keys')
a2d82b46	15	-- Ability to read what card is there
a2d82b46	16	local reader = require('read14a')
62254ea5	17	local getopt = require('getopt')
a2d82b46	18
62254ea5	19	local OR = bit32.bor
62254ea5	20	local LSHIFT = bit32.lshift
05ed5c49	21
62254ea5	22	example =[[
	23	script run mfkeys
	24	]]
	25	author = "Iceman"
	26	usage = "script run mfkeys"
	27	desc = ("This script implements Mifare check keys. It utilises a large list of default keys (currently %d keys).\
	28	If you want to add more, just put them inside /lualibs/mf_default_keys.lua\n"):format(#keys) ..
	29	[[
	30
	31	Arguments:
	32	-h : this help
	33	]]
16b04cb2	34
16b04cb2	35	local TIMEOUT = 10000 -- 10 seconds
62254ea5	36	---
	37	-- Usage help
	38	function help()
	39	print(desc)
	40	print("Example usage")
	41	print(example)
	42	end
05ed5c49	43
	44	--[[This may be moved to a separate library at some point]]
	45	local utils =
	46	{
	47	---
	48	-- Asks the user for Yes or No
	49	confirm = function(message, ...)
	50	local answer
	51	message = message .. " [y]/[n] ?"
	52	repeat
	53	io.write(message)
	54	io.flush()
	55	answer=io.read()
	56	if answer == 'Y' or answer == "y" then
	57	return true
	58	elseif answer == 'N' or answer == 'n' then
	59	return false
	60	end
	61	until false
	62	end,
	63	---
	64	-- Asks the user for input
	65	input = function (message , default)
	66	local answer
	67	if default ~= nil then
	68	message = message .. " (default: ".. default.. " )"
	69	end
	70	message = message .." \n > "
	71	io.write(message)
	72	io.flush()
	73	answer=io.read()
	74	if answer == '' then answer = default end
	75
	76	return answer
	77	end,
	78	}
	79
16b04cb2	80
	81	local function checkCommand(command)
	82
	83	--print("Sending this command : " .. tostring(command))
	84	local usbcommand = command:getBytes()
	85	core.SendCommand(usbcommand)
	86	local result = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT)
	87	if result then
	88	local count,cmd,arg0 = bin.unpack('LL',result)
	89	if(arg0==1) then
	90	local count,arg1,arg2,data = bin.unpack('LLH511',result,count)
	91	key = data:sub(1,12)
	92	return key
	93	else
	94	--print("Key not found...")
	95	return nil
	96	end
	97	else
	98	print("Timeout while waiting for response. Increase TIMEOUT in keycheck.lua to wait longer")
	99	return nil, "Timeout while waiting for device to respond"
	100	end
	101	end
	102
16b04cb2	103	function checkBlock(blockNo, keys, keyType)
	104	-- The command data is only 512 bytes, each key is 6 bytes, meaning that we can send max 85 keys in one go.
	105	-- If there's more, we need to split it up
	106	local start, remaining= 1, #keys
	107	local packets = {}
	108	while remaining > 0 do
	109	local n,data = remaining, nil
	110	if remaining > 85 then n = 85 end
	111	local data = table.concat(keys,"",start,n)
16b04cb2	112	print(("Testing block %d, keytype %d, with %d keys"):format(blockNo, keyType, n))
16b04cb2	113	local command = Command:new{cmd = cmds.CMD_MIFARE_CHKKEYS,
62254ea5	114	arg1 = OR(blockNo, LSHIFT(keyType,8) ),
62254ea5	115	arg2 = 0,
16b04cb2	116	arg3 = n,
	117	data = data}
	118	local status = checkCommand(command)
	119	if status then return status, blockNo end
	120	start = start+n+1
	121	remaining = remaining - n
	122	end
	123	return nil
	124	end
	125
	126	-- A function to display the results
62254ea5	127	-- TODO: iceman 2016, still screws up output when a key is not found.
16b04cb2	128	local function displayresults(results)
	129	local sector, blockNo, keyA, keyB,_
	130
62254ea5	131	print("\|---\|----------------\|---\|----------------\|---\|")
	132	print("\|sec\|key A \|res\|key B \|res\|")
	133	print("\|---\|----------------\|---\|----------------\|---\|")
16b04cb2	134
	135	for sector,_ in pairs(results) do
	136	blockNo, keyA, keyB = unpack(_)
62254ea5	137	print(("\|%03d\| %s \| 1 \| %s \| 1 \|"):format(sector, keyA, keyB ))
16b04cb2	138	end
62254ea5	139	print("\|---\|----------------\|---\|----------------\|---\|")
16b04cb2	140
	141	end
	142	-- A little helper to place an item first in the list
	143	local function placeFirst(akey, list)
	144	akey = akey:lower()
	145	if list[1] == akey then
	146	-- Already at pole position
	147	return list
	148	end
	149	local result = {akey}
	150	--print(("Putting '%s' first"):format(akey))
	151	for i,v in ipairs(list) do
	152	if v ~= akey then
	153	result[#result+1] = v
	154	end
	155	end
	156	return result
	157	end
05ed5c49	158	local function dumptofile(results)
05ed5c49	159	local sector, blockNo, keyA, keyB,_
16b04cb2	160
05ed5c49	161	if utils.confirm("Do you wish to save the keys to dumpfile?") then
	162	local destination = utils.input("Select a filename to store to", "dumpkeys.bin")
	163	local file = io.open(destination, "w")
	164	if file == nil then
	165	print("Could not write to file ", destination)
	166	return
	167	end
	168
	169	local key_a = ""
	170	local key_b = ""
	171
	172	for sector,_ in pairs(results) do
	173	blockNo, keyA, keyB = unpack(_)
	174	key_a = key_a .. bin.pack("H",keyA);
	175	key_b = key_b .. bin.pack("H",keyB);
	176	end
	177	file:write(key_a)
	178	file:write(key_b)
	179	file:close()
	180	end
	181	end
	182
05ed5c49	183	local function main( args)
16b04cb2	184
62254ea5	185	-- Arguments for the script
	186	for o, a in getopt.getopt(args, 'h') do
	187	if o == "h" then return help() end
	188	end
	189
a2d82b46	190	result, err = reader.read1443a()
	191	if not result then
	192	print(err)
	193	return
	194	end
a2d82b46	195
62254ea5	196	print(("Found a %s tag"):format(result.name))
a2d82b46	197
16b04cb2	198	core.clearCommandBuffer()
	199	local blockNo
	200	local keyType = 0 -- A=0, B=1
05ed5c49	201	local numSectors = 16
	202
	203	if 0x18 == result.sak then --NXP MIFARE Classic 4k \| Plus 4k
	204	-- IFARE Classic 4K offers 4096 bytes split into forty sectors,
	205	-- of which 32 are same size as in the 1K with eight more that are quadruple size sectors.
	206	numSectors = 40
	207	elseif 0x08 == result.sak then -- NXP MIFARE CLASSIC 1k \| Plus 2k
	208	-- 1K offers 1024 bytes of data storage, split into 16 sector
	209	numSectors = 16
	210	elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k
	211	-- MIFARE Classic mini offers 320 bytes split into five sectors.
	212	numSectors = 5
	213	elseif 0x10 == result.sak then-- "NXP MIFARE Plus 2k"
	214	numSectors = 32
	215	else
	216	print("I don't know how many sectors there are on this type of card, defaulting to 16")
	217	end
	218
	219	result = {}
	220	for sector=1,numSectors,1 do
16b04cb2	221
16b04cb2	222	--[[
05ed5c49	223	The mifare Classic 1k card has 16 sectors of 4 data blocks each.
05ed5c49	224	The first 32 sectors of a mifare Classic 4k card consists of 4 data blocks and the remaining
16b04cb2	225	8 sectors consist of 16 data blocks.
	226	--]]
	227	local blockNo = sector * 4 -1
	228
	229	if sector > 32 then
	230	blockNo = 324+ (sector-32)16 -1
	231	end
	232
	233	local keyA = checkBlock(blockNo, keys, 0)
	234	if keyA then keys = placeFirst(keyA, keys) end
	235	keyA = keyA or ""
	236
	237	local keyB = checkBlock(blockNo, keys, 1)
	238	if keyB then keys = placeFirst(keyB, keys) end
	239	keyB = keyB or ""
	240
	241	result[sector] = {blockNo, keyA, keyB }
	242
	243	-- Check if user aborted
	244	if core.ukbhit() then
	245	print("Aborted by user")
	246	break
	247	end
	248	end
	249	displayresults(result)
05ed5c49	250	dumptofile(result)
16b04cb2	251	end
16b04cb2	252
05ed5c49	253	main( args)
16b04cb2	254