// ----------------------------- crypto1 destroy\r
crypto1_destroy(pcs);\r
\r
- if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");\r
+ if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");\r
\r
LED_B_ON();\r
cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);\r
// statistics on nonce distance\r
if (calibrate) { // for first call only. Otherwise reuse previous calibration\r
LED_B_ON();\r
+ WDT_HIT();\r
\r
davg = dmax = 0;\r
dmin = 2000;\r
continue;\r
};\r
\r
- nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160\r
- for (i = 101; i < 1200; i++) {\r
+ nttmp = prng_successor(nt1, 140); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160\r
+ for (i = 141; i < 1200; i++) {\r
nttmp = prng_successor(nttmp, 1);\r
- if (nttmp == nt2) break;\r
+ if (nttmp == nt2) {break;}\r
}\r
\r
if (i != 1200) {\r
}\r
}\r
\r
- if (rtr <= 1) return;\r
+ if (rtr <= 1) return;\r
\r
davg = (davg + (rtr - 1)/2) / (rtr - 1);\r
\r
// get crypted nonces for target sector\r
for(i=0; i < 2; i++) { // look for exactly two different nonces\r
\r
+ WDT_HIT(); \r
+ if(BUTTON_PRESS()) {\r
+ DbpString("Nested: cancelled");\r
+ crypto1_destroy(pcs);\r
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+ LEDsoff();\r
+ return;\r
+ }\r
+\r
target_nt[i] = 0;\r
while(target_nt[i] == 0) { // continue until we have an unambiguous nonce\r
- \r
+ \r
// prepare next select. No need to power down the card.\r
if(mifare_classic_halt(pcs, cuid)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");\r
if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);\r
}\r
}\r
-\r
+ \r
LED_C_OFF();\r
\r
// ----------------------------- crypto1 destroy\r
crypto1_destroy(pcs);\r
\r
// add trace trailer\r
- memset(uid, 0x44, 4);\r
- LogTrace(uid, 4, 0, 0, TRUE);\r
+// memset(uid, 0x44, 4);\r
+// LogTrace(uid, 4, 0, 0, TRUE);\r
\r
byte_t buf[4 + 4 * 4];\r
memcpy(buf, &cuid, 4);\r
lf em4x 410xsim 124s
lf em4x 410xsim 0F0368568B
da pl
+scr run sky
+script list
+scr run mifare_autopwn
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3 -n
+scr run tnp3
+scr run tnp3 -n
+hf mf nested 0 a 4b0b20107ccb d
+hf mf nested 1 0 a 4b0b20107ccb d
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3
+scr run tnp3 -n
+scr run tnp3
+hf mf nested 1 0 a 4b0b20107ccb d
+scr run tnp3
//flush queue\r
while (ukbhit()) getchar();\r
\r
- \r
// wait cycle\r
while (true) {\r
printf(".");\r
if (ctmp != 'A' && ctmp != 'a') \r
trgKeyType = 1;\r
} else {\r
- \r
- \r
- \r
+ \r
switch (cmdp) {\r
case '0': SectorsCnt = 05; break;\r
case '1': SectorsCnt = 16; break;\r
}\r
}\r
\r
- \r
// nested sectors\r
iterations = 0;\r
PrintAndLog("nested...");\r
bool calibrate = true;\r
for (i = 0; i < NESTED_SECTOR_RETRY; i++) {\r
for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
+\r
+ if (ukbhit()) {\r
+ printf("\naborted via keyboard!\n");\r
+ free(e_sector);\r
+ return 2;\r
+ } \r
+ \r
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { \r
if (e_sector[sectorNo].foundKey[trgKeyType]) continue;\r
PrintAndLog("-----------------------------------------------");\r
if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {\r
PrintAndLog("Nested error.\n");\r
- return 2;\r
- }\r
+ free(e_sector);\r
+ return 2; }\r
else {\r
calibrate = false;\r
}\r
}\r
fclose(fkeys);\r
}\r
- \r
+\r
free(e_sector);\r
}\r
-\r
return 0;\r
}\r
\r
--- /dev/null
+local _names = {
+ --[[
+ --]]
+ ["0400"]="BASH",
+ ["1600"]="BOOMER" ,
+ ["1800"]="CAMO",
+ ["3000"]="CHOPCHOP" ,
+ ["2000"]="CYNDER",
+ ["6400"]="JET-VAC",
+ ["6700"]="FLASHWING",
+ ["7000"]="TREE REX",
+ ["7100"]="LIGHTCORE SHROOMBOOM",
+ ["1C00"]="DARK SPYRO",
+ ["0600"]="DINORANG" ,
+ ["1200"]="DOUBLE TROUBLE" ,
+ ["1500"]="DRILLSERGEANT" ,
+ ["1400"]="DROBOT",
+ ["0900"]="LIGHTCORE ERUPTOR" ,
+ ["0B00"]="FLAMESLINGER" ,
+ ["1F00"]="GHOST ROASTER",
+ ["0E00"]="GILL GRUNT" ,
+ ["1D00"]="HEX",
+ ["0A00"]="IGNITOR",
+ ["0300"]="LIGHTNINGROD",
+ ["0700"]="LIGHTCORE PRISM BREAK",
+ ["1500"]="SLAMBAM",
+ ["0100"]="SONIC BOOM",
+ ["1000"]="SPYRO",
+ ["1A00"]="STEALTH ELF",
+ ["1B00"]="STUMP SMASH",
+ ["0800"]="SUNBURN",
+ ["0500"]="TERRAFIN",
+ ["1300"]="TRIGGER HAPPY",
+ ["1100"]="VOODOOD",
+ ["0200"]="WARNADO",
+ ["0D00"]="WHAM SHELL",
+ ["0000"]="WHIRLWIND",
+ ["1700"]="WRECKING BALL",
+ ["0C00"]="ZAP",
+ ["1900"]="ZOOK",
+ ["0300"]="DRAGON",
+ ["012D"]="ICE",
+ ["012E"]="PIRATE",
+ ["0130"]="PVPUNLOCK",
+ ["012F"]="UNDEAD",
+ ["0200"]="ANVIL" ,
+ ["CB00"]="CROSSED SWORDS",
+ ["CC00"]="HOURGLASS",
+ ["CA00"]="REGENERATION",
+ ["C900"]="SECRET STASH",
+ ["CD00"]="SHIELD",
+ ["CF00"]="SPARX",
+ ["CE00"]="SPEED BOOTS",
+ ["0194"]="LEGENDARY BASH",
+ ["0430"]="LEGENDARY CHOPCHOP",
+ ["01A0"]="LEGENDARY SPYRO",
+ ["01A3"]="LEGENDARY TRIGGER HAPPY",
+ ["0202"]="PET GILL GRUNT",
+ ["020E"]="PET STEALTH ELF",
+ ["01F9"]="PET TERRAFIN",
+ ["0207"]="PET TRIGGER HAPPY",
+}
+return _names
else return -1;\r
}\r
\r
-\r
-\r
// Compare 16 Bits out of cryptostate\r
int Compare16Bits(const void * a, const void * b) {\r
if ((*(uint64_t*)b & 0x00ff000000ff0000) == (*(uint64_t*)a & 0x00ff000000ff0000)) return 0;\r
else return -1;\r
}\r
\r
-\r
typedef \r
struct {\r
union {\r
return statelist->head.slhead;\r
}\r
\r
-\r
-\r
-\r
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate) \r
{\r
uint16_t i, len;\r
uint32_t uid;\r
UsbCommand resp;\r
-\r
\r
StateList_t statelists[2];\r
struct Crypto1State *p1, *p2, *p3, *p4;\r
local lib14a = require('read14a')
local utils = require('utils')
local md5 = require('md5')
+local toyNames = require('default_toys')
example =[[
1. script run tnp3
local function main(args)
print( string.rep('--',20) )
- print( string.rep('--',20) )
- print()
+ --print( string.rep('--',20) )
+ --print()
local keyA
local cmd
if #(keyA) ~= 12 then
return oops( string.format('Wrong length of write key (was %d) expected 12', #keyA))
end
+
+ -- Turn off Debug
+ local cmdSetDbgOff = "hf mf dbg 0"
+ core.console( cmdSetDbgOff)
result, err = lib14a.read1443a(false)
if not result then
return oops(err)
end
- print((' Found tag : %s'):format(result.name))
-
core.clearCommandBuffer()
if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
return oops('This is not a TNP3xxx tag. aborting.')
end
+ print((' Found tag : %s'):format(result.name))
+
-- Show info
print(('Using keyA : %s'):format(keyA))
print( string.rep('--',20) )
-
+ --Trying to find the other keys
if useNested then
- print('Trying to find keys.')
core.console( ('hf mf nested 1 0 A %s d'):format(keyA) )
end
local blockNo
local blocks = {}
+ print('Reading card data')
+
-- main loop
for blockNo = 0, numBlocks-1, 1 do
-- Block 0-7 not encrypted
blocks[blockNo+1] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata)
else
- local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant)
- local md5hash = md5.sumhexa(base)
+ local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant) local md5hash = md5.sumhexa(base)
local aestest = core.aes(md5hash, blockdata)
local _,hex = bin.unpack(("H%d"):format(16),aestest)
end
-- Print results
+ local uid = block0:sub(1,8)
+ local itemtype = block1:sub(1,4)
+ local cardid = block1:sub(9,24)
+ print( (' UID : %s'):format(uid) )
+ print( (' ITEM TYPE : %s - %s'):format(itemtype, toyNames[itemtype]) )
+ print( (' CARDID : %s'):format(cardid ) )
print('BLK :: DATA DECRYPTED' )
print( string.rep('--',36) )
for _,s in pairs(blocks) do
projects / proxmark3-svn / commitdiff