added more keys (@equipter)
[RRG-proxmark3.git] / tools / pm3_mf7b_wipe.py
blobd4ba6f197824558e194bdda9956b3cb6b0bd3b69
1 #! /usr/bin/env python3.6
2 # -*- coding: utf-8 -*-
4 # VULNERS OPENSOURCE
5 # __________________
7 # Vulners Project [https://vulners.com]
8 # All Rights Reserved.
10 # Author: Kir [isox@vulners.com]
11 # Credits: Dennis Goh [dennis@rfidresearchgroup.com]
13 # This helper script is made for wiping S50 7byte UID cards with Gen2 magic commands from restored state to blank one.
15 # Scenario:
16 # You want to clone 7byte Mifare 1k card using RfidResearchGroup Proxmark3 RDV4.0
18 # Step 1: Dumping original card and making a Mifare 7byte UID clone using S50 7byte UID
20 # Place original card to the reader.
21 # Dump data and recover keys
23 # hf mf autopwn
25 # You will get data, EML and key file. Backup this file, you will need them to wipe the card back to blank state.
26 # Place blank S50 card to the reader.
28 # Get first line from EML file (block0) and write it down using command
30 # Place it here
31 # |
32 # |
33 # v
34 # hf mf wrbl --blk 0 -b -k FFFFFFFFFFFF -d 046E46AAA53480084400120111003113
36 # Now restore all the data using built-in restore command
38 # hf mf restore
40 # Step 2: Recovering S50 7byte UID card to the blank state
42 # Find current card data files from Step 1 in your backup or if you lost them create them again using 'hf mf autopwn' command.
43 # Place them in current working directory.
45 # Read hf-mf-CARD_UID-data.eml file and copy it content with CTRL-C.
46 # Place it to the eml variable in this script.
48 # Check execution command and check device and command name: 'proxmark3 -c "%s" /dev/tty.usbmodemiceman1'
50 # Run script and review key blocks returning to default FFFFFFFFFFFF state.
51 # Be patient! It is executing aprox 3 minutes.
52 # Success one result looks like:
54 # Block 0: Success: isOk:01
55 # Block 3: Success: isOk:01
56 # Block 7: Success: isOk:01
57 # Block 11: Success: isOk:01
58 # Block 15: Success: isOk:01
59 # Block 19: Success: isOk:01
60 # Block 23: Success: isOk:01
61 # Block 27: Success: isOk:01
62 # Block 31: Success: isOk:01
63 # Block 35: Success: isOk:01
64 # Block 39: Success: isOk:01
65 # Block 43: Success: isOk:01
66 # Block 47: Success: isOk:01
67 # Block 51: Success: isOk:01
68 # Block 55: Success: isOk:01
69 # Block 59: Success: isOk:01
70 # Block 63: Success: isOk:01
72 # Thats it! Your S50 7byte UID card is wiped back. Now you can return back to Step 1 of this manual.
76 import subprocess
78 # EML data var te get keys of
79 EML_FILE_DATA = """PLACE RAW hf-mf-CARD_UID-dump.eml FILE CONTENT OF CURRENTLY LOADED CARD HERE"""
80 # Change your device name here if it differs from the default Proxmark3 RDV4.0
81 PROXMARK_BIN_EXEC_STRING = './pm3 -c "%s"'
82 # Constants
83 DEFAULT_ACCESS_BLOCK = "FFFFFFFFFFFFFF078000FFFFFFFFFFFF"
84 F12_KEY = "FFFFFFFFFFFF"
86 def exec_proxmark_cmd(command, retry = 2, input=""):
87 exec_ok = False
88 retry_c = 0
89 while not exec_ok and retry_c < retry:
90 sh_command = PROXMARK_BIN_EXEC_STRING % command
91 rst = subprocess.run(sh_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, input=input.encode("utf-8"))
93 proxmark_reply = rst.stdout.decode("utf-8")
94 proxmark_status = proxmark_reply.splitlines()[-1:][0].strip()
95 if proxmark_status == "ok":
96 return True, "Success: " + proxmark_status
97 retry_c += 1
98 return False, "Error: %s , status %s" % (proxmark_reply.splitlines()[-2:][0], proxmark_status)
101 def chunk(iterable,n):
102 """assumes n is an integer>0
104 iterable=iter(iterable)
105 while True:
106 result=[]
107 for i in range(n):
108 try:
109 a=next(iterable)
110 except StopIteration:
111 break
112 else:
113 result.append(a)
114 if result:
115 yield result
116 else:
117 break
119 sector_array = [sector for sector in chunk(EML_FILE_DATA.splitlines(), 4)]
120 block = 0
121 block_success = {}
123 for sector in sector_array:
124 key_A = sector[3][:12]
125 key_B = sector[3][-12:]
126 for _block in range(0,4):
127 if sector_array.index(sector) == 0 and block == 0:
128 write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -b -k %s -d %s" % (block, key_B, sector[0]))
129 if not write_status:
130 write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -a -k %s -d %s" % (block, key_A, sector[0]))
131 if not write_status:
132 write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -a -k %s -d %s" % (block, F12_KEY, sector[0]))
133 block_success[block] = verbose
135 elif _block == 3:
136 write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -b -k %s -d %s" % (block, key_B, DEFAULT_ACCESS_BLOCK))
137 if not write_status:
138 write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -a -k %s -d %s" % (block, key_A, DEFAULT_ACCESS_BLOCK))
139 if not write_status:
140 write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -a -k %s -d %s" % (block, F12_KEY, DEFAULT_ACCESS_BLOCK))
141 block_success[block] = verbose
143 _block += 1
144 block += 1
146 for block in block_success:
147 print("Block %s: %s" % (block ,block_success[block]))