| 1 | //----------------------------------------------------------------------------- |
| 2 | // Copyright (C) 2013 m h swende <martin at swende.se> |
| 3 | // |
| 4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, |
| 5 | // at your option, any later version. See the LICENSE.txt file for the text of |
| 6 | // the license. |
| 7 | //----------------------------------------------------------------------------- |
| 8 | // Some lua scripting glue to proxmark core. |
| 9 | //----------------------------------------------------------------------------- |
| 10 | |
| 11 | #include "scripting.h" |
| 12 | |
| 13 | #include <stdlib.h> |
| 14 | #include <lua.h> |
| 15 | #include <lualib.h> |
| 16 | #include <lauxlib.h> |
| 17 | #include <string.h> |
| 18 | #include "proxmark3.h" |
| 19 | #include "comms.h" |
| 20 | #include "usb_cmd.h" |
| 21 | #include "cmdmain.h" |
| 22 | #include "util.h" |
| 23 | #include "mifare/mifarehost.h" |
| 24 | #include "../common/iso15693tools.h" |
| 25 | #include "iso14443crc.h" |
| 26 | #include "../common/crc16.h" |
| 27 | #include "../common/crc64.h" |
| 28 | #include <mbedtls/sha1.h> |
| 29 | #include <mbedtls/aes.h> |
| 30 | |
| 31 | /** |
| 32 | * The following params expected: |
| 33 | * UsbCommand c |
| 34 | *@brief l_SendCommand |
| 35 | * @param L |
| 36 | * @return |
| 37 | */ |
| 38 | static int l_SendCommand(lua_State *L){ |
| 39 | |
| 40 | /* |
| 41 | * |
| 42 | The SendCommand (native) expects the following structure: |
| 43 | |
| 44 | typedef struct { |
| 45 | uint64_t cmd; //8 bytes |
| 46 | uint64_t arg[3]; // 8*3 bytes = 24 bytes |
| 47 | union { |
| 48 | uint8_t asBytes[USB_CMD_DATA_SIZE]; // 1 byte * 512 = 512 bytes (OR) |
| 49 | uint32_t asDwords[USB_CMD_DATA_SIZE/4]; // 4 byte * 128 = 512 bytes |
| 50 | } d; |
| 51 | } PACKED UsbCommand; |
| 52 | |
| 53 | ==> A 544 byte buffer will do. |
| 54 | **/ |
| 55 | //Pop cmd |
| 56 | size_t size; |
| 57 | const char *data = luaL_checklstring(L, 1, &size); |
| 58 | if(size != sizeof(UsbCommand)) |
| 59 | { |
| 60 | printf("Got data size %d, expected %d" , (int) size,(int) sizeof(UsbCommand)); |
| 61 | lua_pushstring(L,"Wrong data size"); |
| 62 | return 1; |
| 63 | } |
| 64 | |
| 65 | // UsbCommand c = (*data); |
| 66 | SendCommand((UsbCommand* )data); |
| 67 | return 0; // no return values |
| 68 | } |
| 69 | /** |
| 70 | * @brief The following params expected: |
| 71 | * uint32_t cmd |
| 72 | * size_t ms_timeout |
| 73 | * @param L |
| 74 | * @return |
| 75 | */ |
| 76 | static int l_WaitForResponseTimeout(lua_State *L){ |
| 77 | |
| 78 | uint32_t cmd = 0; |
| 79 | size_t ms_timeout = -1; |
| 80 | |
| 81 | //Check number of arguments |
| 82 | int n = lua_gettop(L); |
| 83 | if(n == 0) |
| 84 | { |
| 85 | //signal error by returning Nil, errorstring |
| 86 | lua_pushnil(L); |
| 87 | lua_pushstring(L,"You need to supply at least command to wait for"); |
| 88 | return 2; // two return values |
| 89 | } |
| 90 | if(n >= 1) |
| 91 | { |
| 92 | //pop cmd |
| 93 | cmd = luaL_checkunsigned(L,1); |
| 94 | } |
| 95 | if(n >= 2) |
| 96 | { |
| 97 | //Did the user send a timeout ? |
| 98 | //Check if the current top of stack is an integer |
| 99 | ms_timeout = luaL_checkunsigned(L,2); |
| 100 | //printf("Timeout set to %dms\n" , (int) ms_timeout); |
| 101 | } |
| 102 | |
| 103 | UsbCommand response; |
| 104 | |
| 105 | if(WaitForResponseTimeout(cmd, &response, ms_timeout)) |
| 106 | { |
| 107 | //Push it as a string |
| 108 | lua_pushlstring(L,(const char *)&response,sizeof(UsbCommand)); |
| 109 | |
| 110 | return 1;// return 1 to signal one return value |
| 111 | }else{ |
| 112 | //Push a Nil instead |
| 113 | lua_pushnil(L); |
| 114 | return 1;// one return value |
| 115 | } |
| 116 | } |
| 117 | |
| 118 | static int returnToLuaWithError(lua_State *L, const char* fmt, ...) |
| 119 | { |
| 120 | char buffer[200]; |
| 121 | va_list args; |
| 122 | va_start(args,fmt); |
| 123 | vsnprintf(buffer, sizeof(buffer), fmt,args); |
| 124 | va_end(args); |
| 125 | |
| 126 | lua_pushnil(L); |
| 127 | lua_pushstring(L,buffer); |
| 128 | return 2; |
| 129 | } |
| 130 | |
| 131 | static int l_mfDarkside(lua_State *L){ |
| 132 | |
| 133 | uint64_t key; |
| 134 | |
| 135 | int retval = mfDarkside(&key); |
| 136 | |
| 137 | //Push the retval on the stack |
| 138 | lua_pushinteger(L, retval); |
| 139 | |
| 140 | //Push the key onto the stack |
| 141 | uint8_t dest_key[8]; |
| 142 | num_to_bytes(key, sizeof(dest_key), dest_key); |
| 143 | |
| 144 | //printf("Pushing to lua stack: %012" PRIx64 "\n",key); |
| 145 | lua_pushlstring(L,(const char *)dest_key, sizeof(dest_key)); |
| 146 | |
| 147 | return 2; //Two return values |
| 148 | } |
| 149 | |
| 150 | //static int l_PrintAndLog(lua_State *L){ return CmdHF14AMfDump(luaL_checkstring(L, 1));} |
| 151 | |
| 152 | static int l_clearCommandBuffer(lua_State *L){ |
| 153 | clearCommandBuffer(); |
| 154 | return 0; |
| 155 | } |
| 156 | /** |
| 157 | * @brief l_foobar is a dummy function to test lua-integration with |
| 158 | * @param L |
| 159 | * @return |
| 160 | */ |
| 161 | static int l_foobar(lua_State *L) |
| 162 | { |
| 163 | //Check number of arguments |
| 164 | int n = lua_gettop(L); |
| 165 | printf("foobar called with %d arguments" , n); |
| 166 | lua_settop(L, 0); |
| 167 | printf("Arguments discarded, stack now contains %d elements", lua_gettop(L)); |
| 168 | |
| 169 | // todo: this is not used, where was it intended for? |
| 170 | // UsbCommand response = {CMD_MIFARE_READBL, {1337, 1338, 1339}}; |
| 171 | |
| 172 | printf("Now returning a uint64_t as a string"); |
| 173 | uint64_t x = 0xDEADBEEF; |
| 174 | uint8_t destination[8]; |
| 175 | num_to_bytes(x,sizeof(x),destination); |
| 176 | lua_pushlstring(L,(const char *)&x,sizeof(x)); |
| 177 | lua_pushlstring(L,(const char *)destination,sizeof(destination)); |
| 178 | |
| 179 | return 2; |
| 180 | } |
| 181 | |
| 182 | |
| 183 | /** |
| 184 | * @brief Utility to check if a key has been pressed by the user. This method does not block. |
| 185 | * @param L |
| 186 | * @return boolean, true if kbhit, false otherwise. |
| 187 | */ |
| 188 | static int l_ukbhit(lua_State *L) |
| 189 | { |
| 190 | lua_pushboolean(L,ukbhit() ? true : false); |
| 191 | return 1; |
| 192 | } |
| 193 | /** |
| 194 | * @brief Calls the command line parser to deal with the command. This enables |
| 195 | * lua-scripts to do stuff like "core.console('hf mf mifare')" |
| 196 | * @param L |
| 197 | * @return |
| 198 | */ |
| 199 | static int l_CmdConsole(lua_State *L) |
| 200 | { |
| 201 | CommandReceived((char *)luaL_checkstring(L, 1)); |
| 202 | return 0; |
| 203 | } |
| 204 | |
| 205 | static int l_iso15693_crc(lua_State *L) |
| 206 | { |
| 207 | // uint16_t Iso15693Crc(uint8_t *v, int n); |
| 208 | size_t size; |
| 209 | const char *v = luaL_checklstring(L, 1, &size); |
| 210 | uint16_t retval = Iso15693Crc((uint8_t *) v, size); |
| 211 | lua_pushinteger(L, (int) retval); |
| 212 | return 1; |
| 213 | } |
| 214 | |
| 215 | static int l_iso14443b_crc(lua_State *L) |
| 216 | { |
| 217 | /* void ComputeCrc14443(int CrcType, |
| 218 | const unsigned char *Data, int Length, |
| 219 | unsigned char *TransmitFirst, |
| 220 | unsigned char *TransmitSecond) |
| 221 | */ |
| 222 | unsigned char buf[USB_CMD_DATA_SIZE]; |
| 223 | size_t len = 0; |
| 224 | const char *data = luaL_checklstring(L, 1, &len); |
| 225 | if (len > USB_CMD_DATA_SIZE-2) |
| 226 | len = USB_CMD_DATA_SIZE-2; |
| 227 | |
| 228 | for (int i = 0; i < len; i += 2) { |
| 229 | sscanf(&data[i], "%02x", (unsigned int *)&buf[i / 2]); |
| 230 | } |
| 231 | ComputeCrc14443(CRC_14443_B, buf, len, &buf[len], &buf[len+1]); |
| 232 | |
| 233 | lua_pushlstring(L, (const char *)&buf, len+2); |
| 234 | return 1; |
| 235 | } |
| 236 | /* |
| 237 | Simple AES 128 cbc hook up to OpenSSL. |
| 238 | params: key, input |
| 239 | */ |
| 240 | static int l_aes128decrypt_cbc(lua_State *L) |
| 241 | { |
| 242 | //Check number of arguments |
| 243 | int i; |
| 244 | size_t size; |
| 245 | const char *p_key = luaL_checklstring(L, 1, &size); |
| 246 | if(size != 32) return returnToLuaWithError(L,"Wrong size of key, got %d bytes, expected 32", (int) size); |
| 247 | |
| 248 | const char *p_encTxt = luaL_checklstring(L, 2, &size); |
| 249 | |
| 250 | unsigned char indata[16] = {0x00}; |
| 251 | unsigned char outdata[16] = {0x00}; |
| 252 | unsigned char aes_key[16] = {0x00}; |
| 253 | unsigned char iv[16] = {0x00}; |
| 254 | |
| 255 | // convert key to bytearray and convert input to bytearray |
| 256 | for (i = 0; i < 32; i += 2) { |
| 257 | sscanf(&p_encTxt[i], "%02x", (unsigned int *)&indata[i / 2]); |
| 258 | sscanf(&p_key[i], "%02x", (unsigned int *)&aes_key[i / 2]); |
| 259 | } |
| 260 | |
| 261 | mbedtls_aes_context ctx; |
| 262 | mbedtls_aes_init(&ctx); |
| 263 | mbedtls_aes_setkey_dec(&ctx, aes_key, 128); |
| 264 | mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_DECRYPT, sizeof(indata), iv, indata,outdata ); |
| 265 | //Push decrypted array as a string |
| 266 | lua_pushlstring(L,(const char *)&outdata, sizeof(outdata)); |
| 267 | return 1;// return 1 to signal one return value |
| 268 | } |
| 269 | static int l_aes128decrypt_ecb(lua_State *L) |
| 270 | { |
| 271 | //Check number of arguments |
| 272 | int i; |
| 273 | size_t size; |
| 274 | const char *p_key = luaL_checklstring(L, 1, &size); |
| 275 | if(size != 32) return returnToLuaWithError(L,"Wrong size of key, got %d bytes, expected 32", (int) size); |
| 276 | |
| 277 | const char *p_encTxt = luaL_checklstring(L, 2, &size); |
| 278 | |
| 279 | unsigned char indata[16] = {0x00}; |
| 280 | unsigned char outdata[16] = {0x00}; |
| 281 | unsigned char aes_key[16] = {0x00}; |
| 282 | |
| 283 | // convert key to bytearray and convert input to bytearray |
| 284 | for (i = 0; i < 32; i += 2) { |
| 285 | sscanf(&p_encTxt[i], "%02x", (unsigned int *)&indata[i / 2]); |
| 286 | sscanf(&p_key[i], "%02x", (unsigned int *)&aes_key[i / 2]); |
| 287 | } |
| 288 | mbedtls_aes_context ctx; |
| 289 | mbedtls_aes_init(&ctx); |
| 290 | mbedtls_aes_setkey_dec(&ctx, aes_key, 128); |
| 291 | mbedtls_aes_crypt_ecb(&ctx, MBEDTLS_AES_DECRYPT, indata, outdata ); |
| 292 | |
| 293 | //Push decrypted array as a string |
| 294 | lua_pushlstring(L,(const char *)&outdata, sizeof(outdata)); |
| 295 | return 1;// return 1 to signal one return value |
| 296 | } |
| 297 | |
| 298 | static int l_aes128encrypt_cbc(lua_State *L) |
| 299 | { |
| 300 | //Check number of arguments |
| 301 | int i; |
| 302 | size_t size; |
| 303 | const char *p_key = luaL_checklstring(L, 1, &size); |
| 304 | if(size != 32) return returnToLuaWithError(L,"Wrong size of key, got %d bytes, expected 32", (int) size); |
| 305 | |
| 306 | const char *p_txt = luaL_checklstring(L, 2, &size); |
| 307 | |
| 308 | unsigned char indata[16] = {0x00}; |
| 309 | unsigned char outdata[16] = {0x00}; |
| 310 | unsigned char aes_key[16] = {0x00}; |
| 311 | unsigned char iv[16] = {0x00}; |
| 312 | |
| 313 | for (i = 0; i < 32; i += 2) { |
| 314 | sscanf(&p_txt[i], "%02x", (unsigned int *)&indata[i / 2]); |
| 315 | sscanf(&p_key[i], "%02x", (unsigned int *)&aes_key[i / 2]); |
| 316 | } |
| 317 | |
| 318 | mbedtls_aes_context ctx; |
| 319 | mbedtls_aes_init(&ctx); |
| 320 | mbedtls_aes_setkey_enc(&ctx, aes_key, 128); |
| 321 | mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_ENCRYPT, sizeof(indata), iv, indata, outdata ); |
| 322 | //Push encrypted array as a string |
| 323 | lua_pushlstring(L,(const char *)&outdata, sizeof(outdata)); |
| 324 | return 1;// return 1 to signal one return value |
| 325 | } |
| 326 | |
| 327 | static int l_aes128encrypt_ecb(lua_State *L) |
| 328 | { |
| 329 | //Check number of arguments |
| 330 | int i; |
| 331 | size_t size; |
| 332 | const char *p_key = luaL_checklstring(L, 1, &size); |
| 333 | if(size != 32) return returnToLuaWithError(L,"Wrong size of key, got %d bytes, expected 32", (int) size); |
| 334 | |
| 335 | const char *p_txt = luaL_checklstring(L, 2, &size); |
| 336 | |
| 337 | unsigned char indata[16] = {0x00}; |
| 338 | unsigned char outdata[16] = {0x00}; |
| 339 | unsigned char aes_key[16] = {0x00}; |
| 340 | |
| 341 | for (i = 0; i < 32; i += 2) { |
| 342 | sscanf(&p_txt[i], "%02x", (unsigned int *)&indata[i / 2]); |
| 343 | sscanf(&p_key[i], "%02x", (unsigned int *)&aes_key[i / 2]); |
| 344 | } |
| 345 | mbedtls_aes_context ctx; |
| 346 | mbedtls_aes_init(&ctx); |
| 347 | mbedtls_aes_setkey_enc(&ctx, aes_key, 128); |
| 348 | mbedtls_aes_crypt_ecb(&ctx, MBEDTLS_AES_ENCRYPT, indata, outdata ); |
| 349 | //Push encrypted array as a string |
| 350 | lua_pushlstring(L,(const char *)&outdata, sizeof(outdata)); |
| 351 | return 1;// return 1 to signal one return value |
| 352 | } |
| 353 | |
| 354 | static int l_crc16(lua_State *L) |
| 355 | { |
| 356 | size_t size; |
| 357 | const char *p_str = luaL_checklstring(L, 1, &size); |
| 358 | |
| 359 | uint16_t retval = crc16_ccitt( (uint8_t*) p_str, size); |
| 360 | lua_pushinteger(L, (int) retval); |
| 361 | return 1; |
| 362 | } |
| 363 | |
| 364 | static int l_crc64(lua_State *L) |
| 365 | { |
| 366 | size_t size; |
| 367 | uint64_t crc = 0; |
| 368 | unsigned char outdata[8] = {0x00}; |
| 369 | |
| 370 | const char *p_str = luaL_checklstring(L, 1, &size); |
| 371 | |
| 372 | crc64( (uint8_t*) p_str, size, &crc); |
| 373 | |
| 374 | outdata[0] = (uint8_t)(crc >> 56) & 0xff; |
| 375 | outdata[1] = (uint8_t)(crc >> 48) & 0xff; |
| 376 | outdata[2] = (uint8_t)(crc >> 40) & 0xff; |
| 377 | outdata[3] = (uint8_t)(crc >> 32) & 0xff; |
| 378 | outdata[4] = (uint8_t)(crc >> 24) & 0xff; |
| 379 | outdata[5] = (uint8_t)(crc >> 16) & 0xff; |
| 380 | outdata[6] = (uint8_t)(crc >> 8) & 0xff; |
| 381 | outdata[7] = crc & 0xff; |
| 382 | lua_pushlstring(L,(const char *)&outdata, sizeof(outdata)); |
| 383 | return 1; |
| 384 | } |
| 385 | |
| 386 | static int l_sha1(lua_State *L) |
| 387 | { |
| 388 | size_t size; |
| 389 | const char *p_str = luaL_checklstring(L, 1, &size); |
| 390 | unsigned char outdata[20] = {0x00}; |
| 391 | mbedtls_sha1( (uint8_t*) p_str, size, outdata); |
| 392 | lua_pushlstring(L,(const char *)&outdata, sizeof(outdata)); |
| 393 | return 1; |
| 394 | } |
| 395 | |
| 396 | /** |
| 397 | * @brief Sets the lua path to include "./lualibs/?.lua", in order for a script to be |
| 398 | * able to do "require('foobar')" if foobar.lua is within lualibs folder. |
| 399 | * Taken from http://stackoverflow.com/questions/4125971/setting-the-global-lua-path-variable-from-c-c |
| 400 | * @param L |
| 401 | * @param path |
| 402 | * @return |
| 403 | */ |
| 404 | int setLuaPath( lua_State* L, const char* path ) |
| 405 | { |
| 406 | lua_getglobal( L, "package" ); |
| 407 | lua_getfield( L, -1, "path" ); // get field "path" from table at top of stack (-1) |
| 408 | const char* cur_path = lua_tostring( L, -1 ); // grab path string from top of stack |
| 409 | int requiredLength = strlen(cur_path)+ strlen(path)+10; //A few bytes too many, whatever we can afford it |
| 410 | char * buf = malloc(requiredLength); |
| 411 | snprintf(buf, requiredLength, "%s;%s", cur_path, path); |
| 412 | lua_pop( L, 1 ); // get rid of the string on the stack we just pushed on line 5 |
| 413 | lua_pushstring( L, buf ); // push the new one |
| 414 | lua_setfield( L, -2, "path" ); // set the field "path" in table at -2 with value at top of stack |
| 415 | lua_pop( L, 1 ); // get rid of package table from top of stack |
| 416 | free(buf); |
| 417 | return 0; // all done! |
| 418 | } |
| 419 | |
| 420 | |
| 421 | int set_pm3_libraries(lua_State *L) |
| 422 | { |
| 423 | |
| 424 | static const luaL_Reg libs[] = { |
| 425 | {"SendCommand", l_SendCommand}, |
| 426 | {"WaitForResponseTimeout", l_WaitForResponseTimeout}, |
| 427 | {"mfDarkside", l_mfDarkside}, |
| 428 | //{"PrintAndLog", l_PrintAndLog}, |
| 429 | {"foobar", l_foobar}, |
| 430 | {"ukbhit", l_ukbhit}, |
| 431 | {"clearCommandBuffer", l_clearCommandBuffer}, |
| 432 | {"console", l_CmdConsole}, |
| 433 | {"iso15693_crc", l_iso15693_crc}, |
| 434 | {"iso14443b_crc", l_iso14443b_crc}, |
| 435 | {"aes128_decrypt", l_aes128decrypt_cbc}, |
| 436 | {"aes128_decrypt_ecb", l_aes128decrypt_ecb}, |
| 437 | {"aes128_encrypt", l_aes128encrypt_cbc}, |
| 438 | {"aes128_encrypt_ecb", l_aes128encrypt_ecb}, |
| 439 | {"crc16", l_crc16}, |
| 440 | {"crc64", l_crc64}, |
| 441 | {"sha1", l_sha1}, |
| 442 | {NULL, NULL} |
| 443 | }; |
| 444 | |
| 445 | lua_pushglobaltable(L); |
| 446 | // Core library is in this table. Contains ' |
| 447 | //this is 'pm3' table |
| 448 | lua_newtable(L); |
| 449 | |
| 450 | //Put the function into the hash table. |
| 451 | for (int i = 0; libs[i].name; i++) { |
| 452 | lua_pushcfunction(L, libs[i].func); |
| 453 | lua_setfield(L, -2, libs[i].name);//set the name, pop stack |
| 454 | } |
| 455 | //Name of 'core' |
| 456 | lua_setfield(L, -2, "core"); |
| 457 | |
| 458 | //-- remove the global environment table from the stack |
| 459 | lua_pop(L, 1); |
| 460 | |
| 461 | //-- Last but not least, add to the LUA_PATH (package.path in lua) |
| 462 | // so we can load libraries from the ./lualib/ - directory |
| 463 | char libraries_path[strlen(get_my_executable_directory()) + strlen(LUA_LIBRARIES_DIRECTORY) + strlen(LUA_LIBRARIES_WILDCARD) + 1]; |
| 464 | strcpy(libraries_path, get_my_executable_directory()); |
| 465 | strcat(libraries_path, LUA_LIBRARIES_DIRECTORY); |
| 466 | strcat(libraries_path, LUA_LIBRARIES_WILDCARD); |
| 467 | setLuaPath(L, libraries_path); |
| 468 | |
| 469 | return 1; |
| 470 | } |