search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
maur keys
[RRG-proxmark3.git] / client / luascripts / hf_mfu_magicwrite.lua
blob199aec7c047fb722134e8023a107eb7a1f40bfd0
1 local cmds = require('commands')
2 local getopt = require('getopt')
3 local lib14a = require('read14a')
4 local utils = require('utils')
5 local ansicolors = require('ansicolors')
6
7 -- global
8 local DEBUG = false -- the debug flag
9 local bxor = bit32.bxor
10 local _password = nil
11 local err_lock = 'use -k or change cfg0 block'
12
13 copyright = 'Copyright (c) 2017 IceSQL AB. All rights reserved.'
14 author = 'Christian Herrmann'
15 version = 'v1.1.4'
16 desc = 'This script enables easy programming of a MAGIC NTAG 21* card'
17 example = [[
18 -- read magic tag configuration
19 ]]..ansicolors.yellow..[[script run hf_mfu_magicwrite -c ]]..ansicolors.reset..[[
20
21 -- set uid
22 ]]..ansicolors.yellow..[[script run hf_mfu_magicwrite -u 04112233445566 ]]..ansicolors.reset..[[
23
24 -- set pwd / pack
25 ]]..ansicolors.yellow..[[script run hf_mfu_magicwrite -p 11223344 -a 8080 ]]..ansicolors.reset..[[
26
27 -- set version to NTAG213
28 ]]..ansicolors.yellow..[[script run hf_mfu_magicwrite -v 0004040201000f03 ]]..ansicolors.reset..[[
29
30 -- set signature
31 ]]..ansicolors.yellow..[[script run hf_mfu_magicwrite -s 1122334455667788990011223344556677889900112233445566778899001122 ]]..ansicolors.reset..[[
32
33 -- wipe tag
34 ]]..ansicolors.yellow..[[script run hf_mfu_magicwrite -w ]]..ansicolors.reset..[[
35
36 -- wipe a locked down tag by giving the password
37 ]]..ansicolors.yellow..[[script run hf_mfu_magicwrite -k ffffffff -w ]]..ansicolors.reset..[[
38
39 ]]
40 usage = [[
41 script run hf_mfu_easywrite -h -k <passwd> -c -w -u <uid> -t <type> -p <passwd> -a <pack> -s <signature> -o <otp> -v <version>
42 ]]
43 arguments = [[
44 -h this help
45 -c read magic configuration
46 -u UID (14 hexsymbols), set UID on tag
47 -t tag type to impersonate
48 1 = UL EV1 48b
49 2 = UL EV1 128b
50 3 = NTAG 210
51 4 = NTAG 212
52 5 = NTAG 213 (true)
53 6 = NTAG 215 (true)
54 7 = NTAG 216 (true)
55 8 = NTAG I2C 1K
56 9 = NTAG I2C 2K
57 10 = NTAG I2C 1K PLUS
58 11 = NTAG I2C 2K PLUS
59 12 = NTAG 213F (true)
60 13 = NTAG 216F (true)
61 -p password (8 hexsymbols), set password on tag.
62 -a pack ( 4 hexsymbols), set pack on tag.
63 -s signature data (64 hexsymbols), set signature data on tag.
64 -o OTP data (8 hexsymbols), set `One-Time Programmable` data on tag.
65 -v version data (16 hexsymbols), set version data on tag.
66 -w wipe tag. You can specify password if the tag has been locked down. Fills tag with zeros and put default values for NTAG213 (like -t 5)
67 -k pwd to use with the wipe option
68 ]]
69 ---
70 -- A debug printout-function
71 local function dbg(args)
72 if not DEBUG then return end
73 if type(args) == 'table' then
74 local i = 1
75 while result[i] do
76 dbg(result[i])
77 i = i+1
78 end
79 else
80 print('###', args)
81 end
82 end
83 -- This is only meant to be used when errors occur
84 local function oops(err)
85 print("ERROR: ",err)
86 core.clearCommandBuffer()
87 return nil, err
88 end
89 ---
90 -- Usage help
91 local function help()
92 print(copyright)
93 print(author)
94 print(version)
95 print(desc)
96 print(ansicolors.cyan..'Usage'..ansicolors.reset)
97 print(usage)
98 print(ansicolors.cyan..'Arguments'..ansicolors.reset)
99 print(arguments)
100 print(ansicolors.cyan..'Example usage'..ansicolors.reset)
101 print(example)
102 end
103 ---
104 -- set the global password variable
105 local function set_password(pwd)
106 if pwd == nil then _password = nil; return true, 'Ok' end
107 if #pwd ~= 8 then return nil, 'password wrong length. Must be 4 hex bytes' end
108 if #pwd == 0 then _password = nil end
109 _password = pwd
110 return true, 'Ok'
111 end
112 --- Picks out and displays the data read from a tag
113 -- Specifically, takes a usb packet, converts to a Command
114 -- (as in commands.lua), takes the data-array and
115 -- reads the number of bytes specified in arg1 (arg0 in c-struct)
116 -- @param usbpacket the data received from the device
117 local function getResponseData(usbpacket)
118 local resp = Command.parse(usbpacket)
119 local len = tonumber(resp.arg1) * 2
120 return string.sub(tostring(resp.data), 0, len);
121 end
122 ---
123 --
124 local function sendRaw(rawdata, options)
125
126 local flags = lib14a.ISO14A_COMMAND.ISO14A_NO_DISCONNECT
127 + lib14a.ISO14A_COMMAND.ISO14A_RAW
128 + lib14a.ISO14A_COMMAND.ISO14A_APPEND_CRC
129
130 local c = Command:newMIX{cmd = cmds.CMD_HF_ISO14443A_READER,
131 arg1 = flags,
132 -- arg2 contains the length, which is half the length of the ASCII-string rawdata
133 arg2 = string.len(rawdata)/2,
134 data = rawdata}
135
136 return c:sendMIX(options.ignore_response)
137 end
138 ---
139 --
140 local function send(payload)
141 local usb, err = sendRaw(payload,{ignore_response = false})
142 if err then return oops(err) end
143 return getResponseData(usb)
144 end
145 ---
146 -- select tag and if password is set, authenticate
147 local function connect()
148 core.clearCommandBuffer()
149
150 -- First of all, connect
151 info, err = lib14a.read(true, true)
152 if err then
153 lib14a.disconnect()
154 return oops(err)
155 end
156 core.clearCommandBuffer()
157
158 --authenticate if needed using global variable
159 if _password then
160 send('1B'.._password)
161 end
162 return true
163 end
164 --
165 -- Read magic configuration
166 local function read_config()
167 local info = connect()
168 if not info then return false, "Can't select card" end
169
170 -- read PWD
171 local pwd = send("30F0"):sub(1,8)
172
173 -- 04 response indicates that blocks has been locked down.
174 if pwd == '04' then lib14a.disconnect(); return nil, "can't read configuration, "..err_lock end
175
176 -- read PACK
177 local pack = send("30F1"):sub(1,4)
178
179 -- read SIGNATURE
180 local signature1 = send('30F2'):sub(1,32)
181 local signature2 = send('30F6'):sub(1,32)
182
183 -- read VERSION
184 local version = send('30FA'):sub(1,16)
185 -- read config
186 local cardtype = send('30FC'):sub(1,2)
187
188 local typestr = ''
189 if cardtype == '00' then typestr = 'NTAG 213'
190 elseif cardtype == '01' then typestr = 'NTAG 215'
191 elseif cardtype == '02' then typestr = 'NTAG 216'
192 end
193
194 print('Magic NTAG 21* Configuration')
195 print(' - Type ', typestr, '(genuine cardtype)')
196 print(' - Password', pwd)
197 print(' - Pack ', pack)
198 print(' - Version ', version)
199 print(' - Signature', signature1..signature2)
200
201 lib14a.disconnect()
202 return true, 'Ok'
203 end
204 ---
205 -- Write SIGNATURE data
206 local function write_signature(data)
207
208 -- uid string checks
209 if data == nil then return nil, 'empty data string' end
210 if #data == 0 then return nil, 'empty data string' end
211 if #data ~= 64 then return nil, 'data wrong length. Should be 32 hex bytes' end
212
213 local info = connect()
214 if not info then return false, "Can't select card" end
215
216 print('Writing new signature')
217
218 local b,c
219 local cmd = 'A2F%d%s'
220 local j = 2
221 for i = 1, #data, 8 do
222 b = data:sub(i,i+7)
223 c = cmd:format(j,b)
224 local resp = send(c)
225 if resp == '04' then lib14a.disconnect(); return nil, 'Failed to write signature' end
226 j = j + 1
227 end
228 lib14a.disconnect()
229 return true, 'Ok'
230 end
231 ---
232 -- Write PWD
233 local function write_pwd(pwd)
234 -- PWD string checks
235 if pwd == nil then return nil, 'empty PWD string' end
236 if #pwd == 0 then return nil, 'empty PWD string' end
237 if #pwd ~= 8 then return nil, 'PWD wrong length. Should be 4 hex bytes' end
238
239 local info = connect()
240 if not info then return false, "Can't select card" end
241
242 print('Writing new PWD ', pwd)
243
244 local resp = send('A2F0'..pwd)
245 lib14a.disconnect()
246 if resp == '04' then
247 return nil, 'Failed to write password'
248 else
249 return true, 'Ok'
250 end
251 end
252 ---
253 -- Write PACK
254 local function write_pack(pack)
255 -- PACK string checks
256 if pack == nil then return nil, 'empty PACK string' end
257 if #pack == 0 then return nil, 'empty PACK string' end
258 if #pack ~= 4 then return nil, 'PACK wrong length. Should be 4 hex bytes' end
259
260 local info = connect()
261 if not info then return false, "Can't select card" end
262
263 print('Writing new PACK', pack)
264
265 local resp = send('A2F1'..pack..'0000')
266 lib14a.disconnect()
267 if resp == '04' then
268 return nil, 'Failed to write pack'
269 else
270 return true, 'Ok'
271 end
272 end
273 --
274 -- Write OTP block
275 local function write_otp(block3)
276
277 -- OTP string checks
278 if block3 == nil then return nil, 'empty OTP string' end
279 if #block3 == 0 then return nil, 'empty OTP string' end
280 if #block3 ~= 8 then return nil, 'OTP wrong length. Should be 4 hex bytes' end
281
282 local info = connect()
283 if not info then return false, "Can't select card" end
284
285 print('Writing new OTP ', block3)
286
287 local resp = send('A203'..block3)
288 lib14a.disconnect()
289 if resp == '04' then
290 return nil, 'Failed to write OTP'
291 else
292 return true, 'Ok'
293 end
294 end
295 --
296 -- Writes a UID with bcc1, bcc2. Needs a magic tag.
297 local function write_uid(uid)
298 -- uid string checks
299 if uid == nil then return nil, 'empty uid string' end
300 if #uid == 0 then return nil, 'empty uid string' end
301 if #uid ~= 14 then return nil, 'uid wrong length. Should be 7 hex bytes' end
302
303 local info = connect()
304 if not info then return false, "Can't select card" end
305
306 print('Writing new UID ', uid)
307
308 local uidbytes = utils.ConvertHexToBytes(uid)
309 local bcc1 = bxor(bxor(bxor(uidbytes[1], uidbytes[2]), uidbytes[3]), 0x88)
310 local bcc2 = bxor(bxor(bxor(uidbytes[4], uidbytes[5]), uidbytes[6]), uidbytes[7])
311 local block0 = string.format('%02X%02X%02X%02X', uidbytes[1], uidbytes[2], uidbytes[3], bcc1)
312 local block1 = string.format('%02X%02X%02X%02X', uidbytes[4], uidbytes[5], uidbytes[6], uidbytes[7])
313 local block2 = string.format('%02X%02X%02X%02X', bcc2, 0x48, 0x00, 0x00)
314 local resp
315
316 resp = send('A200'..block0)
317 resp = send('A201'..block1)
318 resp = send('A202'..block2)
319 lib14a.disconnect()
320
321 if resp == '04' then
322 return nil, 'Failed to write new uid'
323 else
324 return true, 'Ok'
325 end
326 end
327 ---
328 -- Write VERSION data,
329 -- make sure you have correct version data
330 local function write_version(data)
331 -- version string checks
332 if data == nil then return nil, 'empty version string' end
333 if #data == 0 then return nil, 'empty version string' end
334 if #data ~= 16 then return nil, 'version wrong length. Should be 8 hex bytes' end
335
336 local info = connect()
337 if not info then return false, "Can't select card" end
338
339 print('Writing new version', data)
340
341 local b1 = data:sub(1,8)
342 local b2 = data:sub(9,16)
343 local resp
344 resp = send('A2FA'..b1)
345 resp = send('A2FB'..b2)
346 lib14a.disconnect()
347 if resp == '04' then
348 return nil, 'Failed to write version'
349 else
350 return true, 'Ok'
351 end
352 end
353 ---
354 -- writen TYPE which card is based on.
355 -- 00 = 213, 01 = 215, 02 = 216
356 local function write_type(data)
357 -- type string checks
358 if data == nil then return nil, 'empty type string' end
359 if #data == 0 then return nil, 'empty type string' end
360 if #data ~= 2 then return nil, 'type wrong length. Should be 1 hex byte' end
361
362 local info = connect()
363 if not info then return false, "Can't select card" end
364 print('Writing new type', data)
365
366 local resp = send('A2FC'..data..'000000')
367 lib14a.disconnect()
368 if resp == '04' then
369 return nil, 'Failed to write type'
370 else
371 return true, 'Ok'
372 end
373 end
374 ---
375 -- Set tag type. Predefinde version data together with magic type set.
376 -- Since cmd always gives 10 bytes len (data+crc) we can impersonate the following types
377 -- we only truely be three types NTAG 213,215 and 216
378 local function set_type(tagtype)
379
380 -- tagtype checks
381 if type(tagtype) == 'string' then tagtype = tonumber(tagtype, 10) end
382 if tagtype == nil then return nil, 'empty tagtype' end
383
384 if tagtype == 1 then
385 print('Setting: UL-EV1 48')
386 write_otp('00000000') -- Setting OTP to default 00 00 00 00
387 write_version('0004030101000b03') -- UL-EV1 (48) 00 04 03 01 01 00 0b 03
388 write_type('00') -- based on NTAG213..
389
390 -- Setting UL-Ev1 default config bl 16,17
391 connect()
392 send('a210000000FF')
393 send('a21100050000')
394
395 elseif tagtype == 2 then
396 print('Setting: UL-EV1 128')
397 write_otp('00000000') -- Setting OTP to default 00 00 00 00
398 write_version('0004030101000e03') -- UL-EV1 (128) 00 04 03 01 01 00 0e 03
399 write_type('01')
400
401 -- Setting UL-Ev1 default config bl 37,38
402 connect()
403 send('a225000000FF')
404 send('a22600050000')
405 elseif tagtype == 3 then
406 print('Setting: NTAG 210')
407 write_version('0004040101000b03') -- NTAG210 00 04 04 01 01 00 0b 03
408 write_type('00')
409
410 -- Setting NTAG210 default CC block456
411 connect()
412 send('a203e1100600')
413 send('a2040300fe00')
414 send('a20500000000')
415 -- Setting cfg1/cfg2
416 send('a210000000FF')
417 send('a21100050000')
418 elseif tagtype == 4 then
419 print('Setting: NTAG 212')
420 write_version('0004040101000E03') -- NTAG212 00 04 04 01 01 00 0E 03
421 write_type('00')
422
423 -- Setting NTAG212 default CC block456
424 connect()
425 send('a203e1101000')
426 send('a2040103900a')
427 send('a205340300fe')
428 -- Setting cfg1/cfg2
429 send('a225000000FF')
430 send('a22600050000')
431 elseif tagtype == 5 then
432 print('Setting: NTAG 213')
433 write_version('0004040201000F03') -- NTAG213 00 04 04 02 01 00 0f 03
434 write_type('00')
435
436 -- Setting NTAG213 default CC block456
437 connect()
438 send('a203e1101200')
439 send('a2040103a00c')
440 send('a205340300fe')
441 -- setting cfg1/cfg2
442 send('a229000000ff')
443 send('a22a00050000')
444 elseif tagtype == 6 then
445 print('Setting: NTAG 215')
446 write_version('0004040201001103') -- NTAG215 00 04 04 02 01 00 11 03
447 write_type('01')
448
449 -- Setting NTAG215 default CC block456
450 connect()
451 send('a203e1103e00')
452 send('a2040300fe00')
453 send('a20500000000')
454 -- setting cfg1/cfg2
455 send('a283000000ff')
456 send('a28400050000')
457 elseif tagtype == 7 then
458 print('Setting: NTAG 216')
459 write_version('0004040201001303') -- NTAG216 00 04 04 02 01 00 13 03
460 write_type('02')
461
462 -- Setting NTAG216 default CC block456
463 connect()
464 send('a203e1106d00')
465 send('a2040300fe00')
466 send('a20500000000')
467 -- setting cfg1/cfg2
468 send('a2e3000000ff')
469 send('a2e400050000')
470 elseif tagtype == 8 then
471 print('Setting: NTAG I2C 1K')
472 write_version('0004040502011303') -- NTAG_I2C_1K 00 04 04 05 02 01 13 03
473 write_type('02')
474
475 -- Setting NTAG I2C 1K default CC block456
476 connect()
477 send('a203e1106D00')
478 send('a2040300fe00')
479 send('a20500000000')
480 elseif tagtype == 9 then
481 print('Setting: NTAG I2C 2K')
482 write_version('0004040502011503') -- NTAG_I2C_2K 00 04 04 05 02 01 15 03
483 write_type('02')
484
485 -- Setting NTAG I2C 2K default CC block456
486 connect()
487 send('a203e110EA00')
488 send('a2040300fe00')
489 send('a20500000000')
490 elseif tagtype == 10 then
491 print('Setting: NTAG I2C plus 1K')
492 write_version('0004040502021303') -- NTAG_I2C_1K 00 04 04 05 02 02 13 03
493 write_type('02')
494
495 -- Setting NTAG I2C 1K default CC block456
496 connect()
497 send('a203e1106D00')
498 send('a2040300fe00')
499 send('a20500000000')
500 elseif tagtype == 11 then
501 print('Setting: NTAG I2C plus 2K')
502 write_version('0004040502021503') -- NTAG_I2C_2K 00 04 04 05 02 02 15 03
503 write_type('02')
504
505 -- Setting NTAG I2C 2K default CC block456
506 connect()
507 send('a203e1106D00')
508 send('a2040300fe00')
509 send('a20500000000')
510 elseif tagtype == 12 then
511 print('Setting: NTAG 213F')
512 write_version('0004040401000F03') -- NTAG213F 00 04 04 04 01 00 0f 03
513 write_type('00')
514
515 -- Setting NTAG213 default CC block456
516 connect()
517 send('a203e1101200')
518 send('a2040103a00c')
519 send('a205340300fe')
520 -- setting cfg1/cfg2
521 send('a229000000ff')
522 send('a22a00050000')
523 elseif tagtype == 13 then
524 print('Setting: NTAG 216F')
525 write_version('0004040401001303') -- NTAG216F 00 04 04 04 01 00 13 03
526 write_type('02')
527
528 -- Setting NTAG216 default CC block456
529 connect()
530 send('a203e1106d00')
531 send('a2040300fe00')
532 send('a20500000000')
533 -- setting cfg1/cfg2
534 send('a2e3000000ff')
535 send('a2e400050000')
536 end
537
538 lib14a.disconnect()
539 if resp == '04' then
540 return nil, 'Failed to set type'
541 else
542 return true, 'Ok'
543 end
544 end
545 ---
546 -- wipe tag
547 local function wipe()
548
549 local info = connect()
550 if not info then return false, "Can't select card" end
551
552 local err, msg, resp
553 local cmd_empty = 'A2%02X00000000'
554 local cmd_cfg1 = 'A2%02X000000FF'
555 local cmd_cfg2 = 'A2%02X00050000'
556
557 print('Wiping tag')
558
559 for b = 3, 0xFB do
560 --configuration block 0
561 if b == 0x29 or b == 0x83 or b == 0xe3 then
562 local cmd = (cmd_cfg1):format(b)
563 resp = send(cmd)
564 --configuration block 1
565 elseif b == 0x2a or b == 0x84 or b == 0xe4 then
566 local cmd = (cmd_cfg2):format(b)
567 resp = send(cmd)
568 else
569 resp = send(cmd_empty:format(b))
570 end
571 if resp == '04' or #resp == 0 then
572 io.write('\nwrote block '..b, ' failed\n')
573 err = true
574 else
575 io.write('.')
576 end
577 io.flush()
578 end
579 io.write('\r\n')
580
581 lib14a.disconnect()
582
583 if err then return nil, "Tag locked down, "..err_lock end
584
585 print('setting default values...')
586
587 set_password(nil)
588
589 -- set NTAG213 default values
590 err, msg = set_type(5)
591 if err == nil then return err, msg end
592
593 --set UID
594 err, msg = write_uid('04112233445566')
595 if err == nil then return err, msg end
596
597 --set pwd
598 err, msg = write_pwd('FFFFFFFF')
599 if err == nil then return err, msg end
600
601 --set pack
602 err, msg = write_pack('0000')
603 if err == nil then return err, msg end
604
605 return true, 'Ok'
606 end
607 ---
608 -- The main entry point
609 function main(args)
610
611 print( string.rep('--',20) )
612 print( string.rep('--',20) )
613 print()
614
615 local err, msg
616
617 if #args == 0 then return help() end
618
619 -- Read the parameters
620 for o, a in getopt.getopt(args, 'hck:u:t:p:a:s:o:v:w') do
621
622 -- help
623 if o == "h" then return help() end
624
625 --key
626 if o == 'k' then err, msg = set_password(a) end
627
628 -- configuration
629 if o == "c" then err, msg = read_config() end
630
631 --wipe tag
632 if o == "w" then err, msg = wipe() end
633
634 -- write uid
635 if o == "u" then err, msg = write_uid(a) end
636
637 -- write type/version
638 if o == "t" then err, msg = set_type(a) end
639
640 -- write pwd
641 if o == "p" then err, msg = write_pwd(a) end
642
643 -- write pack
644 if o == "a" then err, msg = write_pack(a) end
645
646 -- write signature
647 if o == "s" then err, msg = write_signature(a) end
648
649 -- write otp
650 if o == "o" then err, msg = write_otp(a) end
651
652 -- write version
653 if o == "v" then err, msg = write_version(a) end
654
655 if err == nil then return oops(msg) end
656 end
657
658 end
659
660 main(args)
Proxmark3 - the RFID research Swiss army knife. Iceman firmware