From 22f1c57786097d373e6d4706588b5d9e9a09e8e5 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 9 Nov 2014 17:22:04 +0100 Subject: [PATCH] Updated tnp3.lua added some possibilities to abort the "hf mf nested" command added a rudimentary items identification for tnp3xxx --- armsrc/mifarecmd.c | 28 +++++++---- client/.history | 83 +++++++++++++++++++++++++++++++++ client/cmdhfmf.c | 20 ++++---- client/lualibs/default_toys.lua | 63 +++++++++++++++++++++++++ client/mifarehost.c | 7 --- client/scripts/tnp3.lua | 27 +++++++---- 6 files changed, 195 insertions(+), 33 deletions(-) create mode 100644 client/lualibs/default_toys.lua diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c index 7e3e9293..0d1fb77a 100644 --- a/armsrc/mifarecmd.c +++ b/armsrc/mifarecmd.c @@ -76,7 +76,7 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) // ----------------------------- crypto1 destroy crypto1_destroy(pcs); - if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED"); + if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED"); LED_B_ON(); cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16); @@ -558,6 +558,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat // statistics on nonce distance if (calibrate) { // for first call only. Otherwise reuse previous calibration LED_B_ON(); + WDT_HIT(); davg = dmax = 0; dmin = 2000; @@ -596,10 +597,10 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat continue; }; - nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160 - for (i = 101; i < 1200; i++) { + nttmp = prng_successor(nt1, 140); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160 + for (i = 141; i < 1200; i++) { nttmp = prng_successor(nttmp, 1); - if (nttmp == nt2) break; + if (nttmp == nt2) {break;} } if (i != 1200) { @@ -615,7 +616,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat } } - if (rtr <= 1) return; + if (rtr <= 1) return; davg = (davg + (rtr - 1)/2) / (rtr - 1); @@ -634,9 +635,18 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat // get crypted nonces for target sector for(i=0; i < 2; i++) { // look for exactly two different nonces + WDT_HIT(); + if(BUTTON_PRESS()) { + DbpString("Nested: cancelled"); + crypto1_destroy(pcs); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LEDsoff(); + return; + } + target_nt[i] = 0; while(target_nt[i] == 0) { // continue until we have an unambiguous nonce - + // prepare next select. No need to power down the card. if(mifare_classic_halt(pcs, cuid)) { if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error"); @@ -697,15 +707,15 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1); } } - + LED_C_OFF(); // ----------------------------- crypto1 destroy crypto1_destroy(pcs); // add trace trailer - memset(uid, 0x44, 4); - LogTrace(uid, 4, 0, 0, TRUE); +// memset(uid, 0x44, 4); +// LogTrace(uid, 4, 0, 0, TRUE); byte_t buf[4 + 4 * 4]; memcpy(buf, &cuid, 4); diff --git a/client/.history b/client/.history index e20a63e0..d781126a 100644 --- a/client/.history +++ b/client/.history @@ -9,3 +9,86 @@ lf t55xx rd 2 lf em4x 410xsim 124s lf em4x 410xsim 0F0368568B da pl +scr run sky +script list +scr run mifare_autopwn +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 -n +scr run tnp3 +scr run tnp3 -n +hf mf nested 0 a 4b0b20107ccb d +hf mf nested 1 0 a 4b0b20107ccb d +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 +scr run tnp3 -n +scr run tnp3 +hf mf nested 1 0 a 4b0b20107ccb d +scr run tnp3 diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 1d2de683..8a48c19c 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -36,7 +36,6 @@ start: //flush queue while (ukbhit()) getchar(); - // wait cycle while (true) { printf("."); @@ -848,9 +847,7 @@ int CmdHF14AMfNested(const char *Cmd) if (ctmp != 'A' && ctmp != 'a') trgKeyType = 1; } else { - - - + switch (cmdp) { case '0': SectorsCnt = 05; break; case '1': SectorsCnt = 16; break; @@ -935,20 +932,26 @@ int CmdHF14AMfNested(const char *Cmd) } } - // nested sectors iterations = 0; PrintAndLog("nested..."); bool calibrate = true; for (i = 0; i < NESTED_SECTOR_RETRY; i++) { for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) { + + if (ukbhit()) { + printf("\naborted via keyboard!\n"); + free(e_sector); + return 2; + } + for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { if (e_sector[sectorNo].foundKey[trgKeyType]) continue; PrintAndLog("-----------------------------------------------"); if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) { PrintAndLog("Nested error.\n"); - return 2; - } + free(e_sector); + return 2; } else { calibrate = false; } @@ -1018,10 +1021,9 @@ int CmdHF14AMfNested(const char *Cmd) } fclose(fkeys); } - + free(e_sector); } - return 0; } diff --git a/client/lualibs/default_toys.lua b/client/lualibs/default_toys.lua new file mode 100644 index 00000000..abb56515 --- /dev/null +++ b/client/lualibs/default_toys.lua @@ -0,0 +1,63 @@ +local _names = { + --[[ + --]] + ["0400"]="BASH", + ["1600"]="BOOMER" , + ["1800"]="CAMO", + ["3000"]="CHOPCHOP" , + ["2000"]="CYNDER", + ["6400"]="JET-VAC", + ["6700"]="FLASHWING", + ["7000"]="TREE REX", + ["7100"]="LIGHTCORE SHROOMBOOM", + ["1C00"]="DARK SPYRO", + ["0600"]="DINORANG" , + ["1200"]="DOUBLE TROUBLE" , + ["1500"]="DRILLSERGEANT" , + ["1400"]="DROBOT", + ["0900"]="LIGHTCORE ERUPTOR" , + ["0B00"]="FLAMESLINGER" , + ["1F00"]="GHOST ROASTER", + ["0E00"]="GILL GRUNT" , + ["1D00"]="HEX", + ["0A00"]="IGNITOR", + ["0300"]="LIGHTNINGROD", + ["0700"]="LIGHTCORE PRISM BREAK", + ["1500"]="SLAMBAM", + ["0100"]="SONIC BOOM", + ["1000"]="SPYRO", + ["1A00"]="STEALTH ELF", + ["1B00"]="STUMP SMASH", + ["0800"]="SUNBURN", + ["0500"]="TERRAFIN", + ["1300"]="TRIGGER HAPPY", + ["1100"]="VOODOOD", + ["0200"]="WARNADO", + ["0D00"]="WHAM SHELL", + ["0000"]="WHIRLWIND", + ["1700"]="WRECKING BALL", + ["0C00"]="ZAP", + ["1900"]="ZOOK", + ["0300"]="DRAGON", + ["012D"]="ICE", + ["012E"]="PIRATE", + ["0130"]="PVPUNLOCK", + ["012F"]="UNDEAD", + ["0200"]="ANVIL" , + ["CB00"]="CROSSED SWORDS", + ["CC00"]="HOURGLASS", + ["CA00"]="REGENERATION", + ["C900"]="SECRET STASH", + ["CD00"]="SHIELD", + ["CF00"]="SPARX", + ["CE00"]="SPEED BOOTS", + ["0194"]="LEGENDARY BASH", + ["0430"]="LEGENDARY CHOPCHOP", + ["01A0"]="LEGENDARY SPYRO", + ["01A3"]="LEGENDARY TRIGGER HAPPY", + ["0202"]="PET GILL GRUNT", + ["020E"]="PET STEALTH ELF", + ["01F9"]="PET TERRAFIN", + ["0207"]="PET TRIGGER HAPPY", +} +return _names diff --git a/client/mifarehost.c b/client/mifarehost.c index ed62bcee..cda884d9 100644 --- a/client/mifarehost.c +++ b/client/mifarehost.c @@ -26,8 +26,6 @@ int compar_int(const void * a, const void * b) { else return -1; } - - // Compare 16 Bits out of cryptostate int Compare16Bits(const void * a, const void * b) { if ((*(uint64_t*)b & 0x00ff000000ff0000) == (*(uint64_t*)a & 0x00ff000000ff0000)) return 0; @@ -35,7 +33,6 @@ int Compare16Bits(const void * a, const void * b) { else return -1; } - typedef struct { union { @@ -70,15 +67,11 @@ void* nested_worker_thread(void *arg) return statelist->head.slhead; } - - - int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate) { uint16_t i, len; uint32_t uid; UsbCommand resp; - StateList_t statelists[2]; struct Crypto1State *p1, *p2, *p3, *p4; diff --git a/client/scripts/tnp3.lua b/client/scripts/tnp3.lua index 4e8ca77b..56d0b486 100644 --- a/client/scripts/tnp3.lua +++ b/client/scripts/tnp3.lua @@ -4,6 +4,7 @@ local bin = require('bin') local lib14a = require('read14a') local utils = require('utils') local md5 = require('md5') +local toyNames = require('default_toys') example =[[ 1. script run tnp3 @@ -92,8 +93,8 @@ end local function main(args) print( string.rep('--',20) ) - print( string.rep('--',20) ) - print() + --print( string.rep('--',20) ) + --print() local keyA local cmd @@ -114,27 +115,30 @@ local function main(args) if #(keyA) ~= 12 then return oops( string.format('Wrong length of write key (was %d) expected 12', #keyA)) end + + -- Turn off Debug + local cmdSetDbgOff = "hf mf dbg 0" + core.console( cmdSetDbgOff) result, err = lib14a.read1443a(false) if not result then return oops(err) end - print((' Found tag : %s'):format(result.name)) - core.clearCommandBuffer() if 0x01 ~= result.sak then -- NXP MIFARE TNP3xxx return oops('This is not a TNP3xxx tag. aborting.') end + print((' Found tag : %s'):format(result.name)) + -- Show info print(('Using keyA : %s'):format(keyA)) print( string.rep('--',20) ) - + --Trying to find the other keys if useNested then - print('Trying to find keys.') core.console( ('hf mf nested 1 0 A %s d'):format(keyA) ) end @@ -165,6 +169,8 @@ local function main(args) local blockNo local blocks = {} + print('Reading card data') + -- main loop for blockNo = 0, numBlocks-1, 1 do @@ -188,8 +194,7 @@ local function main(args) -- Block 0-7 not encrypted blocks[blockNo+1] = ('%02d :: %s :: %s'):format(blockNo,blockdata,blockdata) else - local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant) - local md5hash = md5.sumhexa(base) + local base = ('%s%s%d%s'):format(block0, block1, blockNo, hashconstant) local md5hash = md5.sumhexa(base) local aestest = core.aes(md5hash, blockdata) local _,hex = bin.unpack(("H%d"):format(16),aestest) @@ -215,6 +220,12 @@ local function main(args) end -- Print results + local uid = block0:sub(1,8) + local itemtype = block1:sub(1,4) + local cardid = block1:sub(9,24) + print( (' UID : %s'):format(uid) ) + print( (' ITEM TYPE : %s - %s'):format(itemtype, toyNames[itemtype]) ) + print( (' CARDID : %s'):format(cardid ) ) print('BLK :: DATA DECRYPTED' ) print( string.rep('--',36) ) for _,s in pairs(blocks) do -- 2.39.5