client/luascripts/hf_mf_keycheck.lua

   1 --[[
   2     This is an example of Lua-scripting within Proxmark3. This is a lua-side
   3     implementation of hf mf chk
   4
   5     This code is licensed to you under the terms of the GNU GPL, version 2 or,
   6     at your option, any later version. See the LICENSE.txt file for the text of
   7     the license.
   8
   9     Copyright (C) 2013 m h swende <martin at swende.se>
  10 --]]
  11 local cmds = require('commands')
  12 local keylist = require('mfc_default_keys')
  13 local lib14a = require('read14a')
  14 local getopt = require('getopt')
  15 local utils = require('utils')
  16 local ansicolors  = require('ansicolors')
  17
  18 copyright = ''
  19 author = "Holiman"
  20 version = 'v1.0.2'
  21 desc = ("This script implements Mifare check keys.\
  22 It utilises a large list of default keys (currently %d keys).\
  23 If you want to add more, just put them inside /lualibs/mfc_default_keys.lua\n"):format(#keylist)
  24 example = [[
  25     1. script run hf_mf_keycheck
  26 ]]
  27 usage = [[
  28 script run hf_mf_keycheck [-p]
  29 ]]
  30 arguments = [[
  31     -h             : this help
  32     -p             : print keys
  33 ]]
  34
  35 local PM3_SUCCESS = 0 -- needs to be refactored into own like pm3_cmd
  36
  37 local TIMEOUT = 10000 -- 10 seconds
  38 ---
  39 -- This is only meant to be used when errors occur
  40 local function oops(err)
  41     print('ERROR:', err)
  42     core.clearCommandBuffer()
  43     return nil, err
  44 end
  45 ---
  46 -- Usage help
  47 local function help()
  48     print(copyright)
  49     print(author)
  50     print(version)
  51     print(desc)
  52     print(ansicolors.cyan..'Usage'..ansicolors.reset)
  53     print(usage)
  54     print(ansicolors.cyan..'Arguments'..ansicolors.reset)
  55     print(arguments)
  56     print(ansicolors.cyan..'Example usage'..ansicolors.reset)
  57     print(example)
  58 end
  59 --
  60 -- waits for answer from pm3 device
  61 local function checkCommand(response)
  62     if not response then
  63         print("Timeout while waiting for response. Increase TIMEOUT in hf_mf_keycheck.lua to wait longer")
  64         return nil, "Timeout while waiting for device to respond"
  65     end
  66
  67     if response.Status == PM3_SUCCESS then
  68         --decode data array
  69         key = response.Data:sub(1, 12)
  70         found = tonumber(response.Data:sub(13,14))
  71         if found == 1 then
  72             return key
  73         end
  74     end
  75     return nil
  76 end
  77
  78 local function checkBlock(blockno, testkeys, keytype)
  79
  80     -- The command data is only 512 bytes,
  81     -- each key is 6 bytes,
  82     -- NG args inside dataarray is 4 bytes.  That give us (512-4)/6 or max 84 keys in one go.
  83     -- If there's more, we need to split it up
  84     local start, remaining = 1, #testkeys
  85     local maxchunk = math.floor((512-4)/6)
  86     local chunksize = remaining
  87     if remaining > maxchunk then chunksize = maxchunk end
  88     local n = chunksize
  89
  90     while remaining > 0 do
  91
  92         local d0 = ('%02X%02X00%02X'):format(keytype, blockno, chunksize)
  93         local d1 = table.concat(testkeys, "", start, n)
  94
  95         core.clearCommandBuffer()
  96
  97         print(("Testing block %d, keytype %d, with %d keys"):format(blockno, keytype, chunksize))
  98
  99         local c = Command:newNG{cmd = cmds.CMD_HF_MIFARE_CHKKEYS, data = d0..d1}
 100         key, err = checkCommand(c:sendNG(false))
 101
 102         if key then return key, blockno end
 103
 104         start = start + chunksize
 105         remaining = remaining - chunksize
 106
 107         if remaining < maxchunk then chunksize = remaining end
 108         n = n + chunksize
 109     end
 110     return nil
 111 end
 112 ---
 113 -- A function to display the results
 114 local function display_results(keys)
 115     local sector, keyA, keyB, succA, succB
 116     print('')
 117     print('|---|----------------|---|----------------|---|')
 118     print('|sec|key A           |res|key B           |res|')
 119     print('|---|----------------|---|----------------|---|')
 120
 121     for sector = 0, #keys do
 122         succA, succB, keyA, keyB = unpack(keys[sector])
 123         print(('|%03d|  %s  | %s |  %s  | %s |'):format(sector, keyA, succA, keyB, succB))
 124     end
 125     print('|---|----------------|---|----------------|---|')
 126 end
 127 ---
 128 -- A little helper to place an item first in the list
 129 local function placeFirst(akey, list)
 130     akey = akey:lower()
 131     if list[1] == akey then
 132         -- Already at pole position
 133         return list
 134     end
 135     local result = {akey}
 136     --print(("Putting '%s' first"):format(akey))
 137     for i,v in ipairs(list) do
 138         if v ~= akey then
 139             result[#result+1] = v
 140         end
 141     end
 142     return result
 143 end
 144 --[[
 145 The mifare Classic 1k card has 16 sectors of 4 data blocks each.
 146 The first 32 sectors of a mifare Classic 4k card consists of 4 data blocks and the remaining
 147 8 sectors consist of 16 data blocks.
 148 --]]
 149 local function get_blockno(s)
 150
 151     local b, sector
 152
 153     if type(s) == 'string' then
 154         sector = tonumber(s)
 155     else
 156         sector = s
 157     end
 158
 159     if sector < 32 then
 160         b = sector * 4
 161     else
 162         b = 32 * 4 + (sector - 32) * 16
 163 end
 164     return ('%02x'):format(b)
 165 end
 166 --
 167 -- dumps all keys to file
 168 local function dumptofile(uid, keys)
 169     if utils.confirm('Do you wish to save the keys to dumpfile?') then
 170         local filename = ('hf-mf-%s-key.bin'):format(uid);
 171         local destination = utils.input('Select a filename to store to', filename)
 172         local file = io.open(destination, 'wb')
 173         if file == nil then
 174             print('Could not write to file ', destination)
 175             return
 176         end
 177
 178         local key_a = ''
 179         local key_b = ''
 180
 181         --for sector,_ in pairs(keys) do
 182         for sector = 0, #keys do
 183             local succA, succB, keyA, keyB = unpack(keys[sector])
 184             key_a = key_a .. bin.pack('H', keyA);
 185             key_b = key_b .. bin.pack('H', keyB);
 186         end
 187         file:write(key_a)
 188         file:write(key_b)
 189         file:close()
 190     end
 191 end
 192 ---
 193 --
 194 local function printkeys()
 195     for i=1, #keylist do
 196         print(i, keylist[i])
 197     end
 198     print ('Number of keys: '..#keylist)
 199 end
 200 ---
 201 --
 202 local function perform_check(uid, numsectors)
 203
 204     local keyType = 0 -- A=0, B=1
 205
 206     -- empty list of found keys
 207     local keys = {}
 208     for i = 0, numsectors-1 do
 209         keys[i] = {0,0,'',''}
 210     end
 211
 212     core.fast_push_mode(true)
 213
 214     local start_time = os.time()
 215
 216     for sector = 0, #keys do
 217         -- Check if user aborted
 218         if core.kbd_enter_pressed() then
 219             print('Aborted by user')
 220             break
 221         end
 222
 223         local targetblock = tonumber(get_blockno(sector), 16)
 224
 225         local succA, succB, keyA, keyB = unpack(keys[sector])
 226
 227         local keyA = checkBlock(targetblock, keylist, 0)
 228         if keyA then succA = 1; keylist = placeFirst(keyA, keylist) end
 229         keyA = keyA or '------------'
 230
 231         local keyB = checkBlock(targetblock, keylist, 1)
 232         if keyB then succB = 1; keylist = placeFirst(keyB, keylist) end
 233         keyB = keyB or '------------'
 234
 235         keys[sector] = {succA, succB, keyA, keyB}
 236     end
 237
 238     local end_time = os.time()
 239     print('')
 240     print('[+] hf_mf_keycheck - Checkkey execution time: '..os.difftime(end_time, start_time)..' sec')
 241
 242     core.fast_push_mode(false)
 243
 244     display_results(keys)
 245
 246     -- save to dumpkeys.bin
 247     dumptofile(uid, keys)
 248 end
 249 --
 250 -- shows tag information
 251 local function taginfo(tag)
 252
 253     local sectors = 16
 254     -- Show tag info
 255     print((' Found tag %s'):format(tag.name))
 256
 257     if 0x18 == tag.sak then --NXP MIFARE Classic 4k | Plus 4k
 258         -- MIFARE Classic 4K offers 4096 bytes split into forty sectors,
 259         -- of which 32 are same size as in the 1K with eight more that are quadruple size sectors.
 260         sectors = 40
 261     elseif 0x08 == tag.sak then -- NXP MIFARE CLASSIC 1k | Plus 2k
 262         -- 1K offers 1024 bytes of data storage, split into 16 sector
 263         sectors = 16
 264     elseif 0x09 == tag.sak then -- NXP MIFARE Mini 0.3k
 265         -- MIFARE Classic mini offers 320 bytes split into five sectors.
 266         sectors = 5
 267     elseif  0x10 == tag.sak then-- "NXP MIFARE Plus 2k"
 268         sectors = 32
 269     else
 270         print("I don't know how many sectors there are on this type of card, defaulting to 16")
 271     end
 272     return sectors
 273 end
 274 ---
 275 -- The main entry point
 276 local function main(args)
 277
 278     -- Arguments for the script
 279     for o, a in getopt.getopt(args, 'hp') do
 280         if o == 'h' then return help() end
 281         if o == 'p' then return printkeys() end
 282     end
 283     -- identify tag
 284     tag, err = lib14a.read(false, true)
 285     if not tag then return oops(err) end
 286
 287     local numSectors = 16
 288
 289     -- detect sectors and print taginfo
 290     numsectors = taginfo(tag)
 291
 292     perform_check(tag.uid, numsectors)
 293 end
 294
 295 main( args)