ADD: a script to make a barebone clone for tnp3 on a chinese magic s50 generation 1 tag.
--[[
TRAPTEAM
--]]
- ["01C2"]="TRAPTEAM GUSTO",
- ["01C3"]="TRAPTEAM THUNDERBOLT",
- ["01C4"]="TRAPTEAM FLING KONG",
- ["01C5"]="TRAPTEAM BLADES",
- ["01C6"]="TRAPTEAM WALLOP",
- ["01C7"]="TRAPTEAM HEAD RUSH",
- ["01C8"]="TRAPTEAM FIST BUMP",
- ["01C9"]="TRAPTEAM ROCKY ROLL",
- ["01CA"]="TRAPTEAM WILDFIRE",
- ["01CB"]="TRAPTEAM KA BOOM",
- ["01CC"]="TRAPTEAM TRAIL BLAZER",
- ["01CD"]="TRAPTEAM TORCH",
- ["01CE"]="TRAPTEAM SNAP SHOT",
- ["01CF"]="TRAPTEAM LOB STAR",
- ["01D0"]="TRAPTEAM FLIP WRECK",
- ["01D1"]="TRAPTEAM ECHO",
- ["01D2"]="TRAPTEAM BLASTERMIND",
- ["01D3"]="TRAPTEAM ENIGMA",
- ["01D4"]="TRAPTEAM DEJA VU",
- ["01D5"]="TRAPTEAM COBRA CADABRA",
- ["01D6"]="TRAPTEAM JAWBREAKER",
- ["01D7"]="TRAPTEAM GEARSHIFT",
- ["01D8"]="TRAPTEAM CHOPPER",
- ["01D9"]="TRAPTEAM TREAD HEAD",
- ["01DA"]="TRAPTEAM BUSHWHACK",
- ["01DB"]="TRAPTEAM TUFF LUCK",
- ["01DC"]="TRAPTEAM FOOD FIGHT",
- ["01DD"]="TRAPTEAM HIGH FIVE",
- ["01DE"]="TRAPTEAM NITRO KRYPT KING",
- ["01DF"]="TRAPTEAM SHORT CUT",
- ["01E0"]="TRAPTEAM BAT SPIN",
- ["01E1"]="TRAPTEAM FUNNY BONE",
- ["01E2"]="TRAPTEAM KNIGHT LIGHT",
- ["01E3"]="TRAPTEAM SPOTLIGHT",
- ["01E4"]="TRAPTEAM KNIGHT MARE",
- ["01E5"]="TRAPTEAM BLACKOUT",
+ ["C201"]="TRAPTEAM GUSTO",
+ ["C301"]="TRAPTEAM THUNDERBOLT",
+ ["C401"]="TRAPTEAM FLING KONG",
+ ["C501"]="TRAPTEAM BLADES",
+ ["C601"]="TRAPTEAM WALLOP",
+ ["C701"]="TRAPTEAM HEAD RUSH",
+ ["C801"]="TRAPTEAM FIST BUMP",
+ ["C901"]="TRAPTEAM ROCKY ROLL",
+ ["CA01"]="TRAPTEAM WILDFIRE",
+ ["CB01"]="TRAPTEAM KA BOOM",
+ ["CC01"]="TRAPTEAM TRAIL BLAZER",
+ ["CD01"]="TRAPTEAM TORCH",
+ ["CE01"]="TRAPTEAM SNAP SHOT",
+ ["CF01"]="TRAPTEAM LOB STAR",
+ ["D001"]="TRAPTEAM FLIP WRECK",
+ ["D101"]="TRAPTEAM ECHO",
+ ["D201"]="TRAPTEAM BLASTERMIND",
+ ["D301"]="TRAPTEAM ENIGMA",
+ ["D401"]="TRAPTEAM DEJA VU",
+ ["D501"]="TRAPTEAM COBRA CADABRA",
+ ["D601"]="TRAPTEAM JAWBREAKER",
+ ["D701"]="TRAPTEAM GEARSHIFT",
+ ["D801"]="TRAPTEAM CHOPPER",
+ ["D901"]="TRAPTEAM TREAD HEAD",
+ ["DA01"]="TRAPTEAM BUSHWHACK",
+ ["DB01"]="TRAPTEAM TUFF LUCK",
+ ["DC01"]="TRAPTEAM FOOD FIGHT",
+ ["DD01"]="TRAPTEAM HIGH FIVE",
+ ["DE01"]="TRAPTEAM NITRO KRYPT KING",
+ ["DF01"]="TRAPTEAM SHORT CUT",
+ ["E001"]="TRAPTEAM BAT SPIN",
+ ["E101"]="TRAPTEAM FUNNY BONE",
+ ["E201"]="TRAPTEAM KNIGHT LIGHT",
+ ["E301"]="TRAPTEAM SPOTLIGHT",
+ ["E401"]="TRAPTEAM KNIGHT MARE",
+ ["E501"]="TRAPTEAM BLACKOUT",
--[[
PET
--- /dev/null
+local cmds = require('commands')
+local getopt = require('getopt')
+local lib14a = require('read14a')
+local utils = require('utils')
+local pre = require('precalc')
+
+local lsh = bit32.lshift
+local rsh = bit32.rshift
+local bor = bit32.bor
+local band = bit32.band
+
+example =[[
+ script run tnp3dump
+ script run tnp3dump -h
+ script run tnp3dump -t aa00
+
+]]
+author = "Iceman"
+usage = "script run tnp3clone -t <toytype>"
+desc =[[
+This script will try making a barebone clone of a tnp3 tag on to a magic generation1 card.
+
+Arguments:
+ -h : this help
+ -k <key> : toytype id, 4 hex symbols.
+]]
+
+
+-- This is only meant to be used when errors occur
+function oops(err)
+ print("ERROR: ",err)
+end
+-- Usage help
+function help()
+ print(desc)
+ print("Example usage")
+ print(example)
+end
+
+local function waitCmd()
+ local response = core.WaitForResponseTimeout(cmds.CMD_ACK,2000)
+ if response then
+ local count,cmd,arg0 = bin.unpack('LL',response)
+ if(arg0==1) then
+ local count,arg1,arg2,data = bin.unpack('LLH511',response,count)
+ return data:sub(1,32)
+ else
+ return nil, "Couldn't read block."
+ end
+ end
+ return nil, "No response from device"
+end
+
+local function readblock( keyA )
+ -- Read block 0
+ cmd = Command:new{cmd = cmds.CMD_MIFARE_READBL, arg1 = 0,arg2 = 0,arg3 = 0, data = keyA}
+ err = core.SendCommand(cmd:getBytes())
+ if err then return oops(err) end
+ local block0, err = waitCmd()
+ if err then return oops(err) end
+ return block0
+end
+
+local function main(args)
+
+ local numBlocks = 64
+ local cset = 'hf mf csetbl'
+ local empty = '00000000000000000000000000000000'
+ local AccAndKeyB = '7F078869000000000000'
+ -- Defaults to Gusto
+ local toytype = 'C201'
+
+ -- Arguments for the script
+ for o, a in getopt.getopt(args, 'ht:') do
+ if o == "h" then return help() end
+ if o == "t" then toytype = a end
+ end
+
+ if #toytype ~= 4 then return oops('Wrong size in toytype. (4hex symbols)') end
+
+ -- find tag
+ result, err = lib14a.read1443a(false)
+ if not result then return oops(err) end
+
+ -- Show tag info
+ print((' Found tag %s'):format(result.name))
+
+ -- load keys
+ local akeys = pre.GetAll(result.uid)
+ local keyA = akeys:sub(1, 12 )
+
+ local b0 = readblock(keyA)
+ local b1 = toytype..'000000000000000000000000'
+
+ local calc = utils.Crc16(b0..b1)
+ local calcEndian = bor(rsh(calc,8), lsh(band(calc, 0xff), 8))
+
+ local cmd = ('hf mf csetbl 1 %s%04x'):format( b1, calcEndian)
+ core.console( cmd)
+
+ local pos, key
+ for blockNo = 2, numBlocks-1, 1 do
+ pos = (math.floor( blockNo / 4 ) * 12)+1
+ key = akeys:sub(pos, pos + 11 )
+ if blockNo%4 ~= 3 then
+ cmd = ('%s %d %s'):format(cset,blockNo,empty)
+ else
+ cmd = ('%s %d %s%s'):format(cset,blockNo,key,AccAndKeyB)
+ end
+ core.console(cmd)
+ end
+end
+main(args)
\ No newline at end of file
core.clearCommandBuffer()
if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx
- return oops('This is not a TNP3xxx tag. aborting.')
+ -- return oops('This is not a TNP3xxx tag. aborting.')
end
-- Show tag info
local blockdata, err = waitCmd()
if err then return oops(err) end
+
if blockNo%4 ~= 3 then
+
if blockNo < 8 then
-- Block 0-7 not encrypted
blocks[blockNo+1] = ('%02d :: %s'):format(blockNo,blockdata)
]]
local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds
-local DEBUG = false -- the debug flag
+local DEBUG = true -- the debug flag
local band = bit32.band
remainder = num % RADIX
return remainder, highLSW, lowLSW
- uint num = 0 | (msw >> 16) & 0xffff;
+ -- uint num = 0 | (msw >> 16) & 0xffff;
- highLSW = 0 | (num / RADIX) << 16;
- remainder = num % RADIX;
+ -- highLSW = 0 | (num / RADIX) << 16;
+ -- remainder = num % RADIX;
- num = (remainder << 16) | (msw & 0xffff);
+ -- num = (remainder << 16) | (msw & 0xffff);
- highLSW |= num / RADIX;
- remainder = num % RADIX;
+ -- highLSW |= num / RADIX;
+ -- remainder = num % RADIX;
- num = (remainder << 16) | ((lsw >> 16) & 0xffff);
+ -- num = (remainder << 16) | ((lsw >> 16) & 0xffff);
- lowLSW = 0 | (num / RADIX) << 16;
- remainder = num % RADIX;
+ -- lowLSW = 0 | (num / RADIX) << 16;
+ -- remainder = num % RADIX;
- num = (remainder << 16) | (lsw & 0xffff);
+ -- num = (remainder << 16) | (lsw & 0xffff);
- lowLSW |= num / RADIX;
- remainder = num % RADIX;
+ -- lowLSW |= num / RADIX;
+ -- remainder = num % RADIX;
end
print( (' UID : 0x%s'):format(uid) )
print( (' CARDID : 0x%s %s [%s]'):format(
cardidMsw,cardidLsw,
- Num2Card(cardidMsw, cardidLsw))
+ --Num2Card(cardidMsw, cardidLsw))
+ '')
)
print( string.rep('--',20) )
projects / proxmark3-svn / commitdiff