text
[RRG-proxmark3.git] / client / luascripts / hf_ntag_dt.lua
blob9b9cc0182945cd8ddcc2bbe7eae7ea97c8ca3672
1 local getopt = require('getopt')
2 local ansicolors = require('ansicolors')
4 copyright = ''
5 author = 'Shain Lakin'
6 version = 'v1.0.0'
7 desc =[[
9 This script modifies the DT NeXT implant (NTAG216) configuration pages.
11 - NeXT Defaults -
13 Default hf mfu info:
14 ----------------------------------------------------------------------
15 [=] --- Tag Configuration
16 [=] cfg0 [227/0xE3]: 04 00 00 E3
17 [=] - strong modulation mode disabled
18 [=] - page 227 and above need authentication
19 [=] cfg1 [228/0xE4]: 00 05 00 00
20 [=] - Unlimited password attempts
21 [=] - NFC counter disabled
22 [=] - NFC counter not protected
23 [=] - user configuration writeable
24 [=] - write access is protected with password
25 [=] - 05, Virtual Card Type Identifier is default
26 [=] PWD [229/0xE5]: 00 00 00 00 - ( cannot be read )
27 [=] PACK [230/0xE6]: 00 00 - ( cannot be read )
28 [=] RFU [230/0xE6]: 00 00 - ( cannot be read )
29 ----------------------------------------------------------------------
31 Default blocks 0xE0 to 0xE6:
32 -------------------------------------
33 [=] 224/0xE0 | 00 00 00 00 | 0 | ....
34 [=] 225/0xE1 | 4E 45 78 54 | 0 | NExT
35 [=] 226/0xE2 | 00 00 7F BD | 0 | ....
36 [=] 227/0xE3 | 04 00 00 E3 | 0 | ....
37 [=] 228/0xE4 | 00 05 00 00 | 0 | ....
38 [=] 229/0xE5 | 44 4E 47 52 | 0 | DNGR
39 [=] 230/0xE6 | 00 00 00 00 | 0 | ....
40 -------------------------------------
43 example =[[
45 Set a new password of SUDO using the default password of DNGR:
47 script run hf_ntag_dt -x pass -p DNGR -n SUDO
49 Enable password protection from hex block 04 onwards (User memory):
51 script run hf_ntag_dt -x protect -p DNGR -a 04
53 Enable password protection from hex block E3 onwards (Configuration Pages):
55 script run hf_ntag_dt -x protect -p DNGR -a E3
57 Disable password protection:
59 script run hf_ntag_dt -x protect -p DNGR -a FF
61 Enable the counter and enable read + write password protection on password protected pages
62 (protected block start page specified using -x protect mode):
64 script run hf_ntag_dt -x conf -p DNGR -c enable -m rw
66 Disable the counter and enable write only password protection on password protected pages
67 (protected block start specified using -x protect mode):
69 script run hf_ntag_dt -x conf -p DNGR -c disable -m w
72 usage = [[
74 script run hf_ntag_dt -x pass -p <password> -n <new_password>
75 script run hf_ntag_dt -x protect -p <password> -a <auth0_block>
76 script run hf_ntag_dt -x conf -p <password> -c <enable/disable> -m <r/rw>
79 arguments = [[
80 -h this help
81 -x mode (pass, protect, conf)
82 -p password (ascii)
83 -n new password (ascii)
84 -a auth0 block (hex)
85 -c counter (enable/disable)
86 -m protection mode (r/rw)
88 ---
89 --- Usage help
90 local function help()
91 print(copyright)
92 print(author)
93 print(version)
94 print(desc)
95 print(ansicolors.cyan..'Usage'..ansicolors.reset)
96 print(usage)
97 print(ansicolors.cyan..'Arguments'..ansicolors.reset)
98 print(arguments)
99 print(ansicolors.cyan..'Example usage'..ansicolors.reset)
100 print(example)
103 --- Print user message
104 local function msg(msg)
105 print( string.rep('--',20) )
106 print('')
107 print(msg)
108 print('')
109 print( string.rep('--',20) )
112 --- String to hex function
113 local function strhex(str)
114 return (str:gsub(".", function(char) return string.format("%2x", char:byte()) end))
117 -- Main
118 local function main(args)
120 for o, a in getopt.getopt(args, 'b:m:c:a:p:x:n:h') do
121 if o == 'm' then prot_mode = a end
122 if o == 'c' then counter = a end
123 if o == 'a' then auth0_block = a end
124 if o == 'p' then passwd = strhex(a) end
125 if o == 'x' then mode = a end
126 if o == 'n' then new_pass = strhex(a) end
127 if o == 'h' then return help() end
130 if mode == 'pass' then
131 command = 'hf mfu wrbl -b 229 -d '..new_pass..' -k '..passwd
132 msg('Writing '..new_pass..' to PASSWD block (229/0xE5) : \n\n'..command)
133 core.console(command)
134 command = 'hf mfu rdbl -b 0 -k '..new_pass..''
135 msg('Verifying password is correctly set : \n\n'..command)
136 core.console(command)
137 elseif mode == 'conf' then
138 if counter == 'enable' then
139 if prot_mode == 'r' then
140 command = 'hf mfu wrbl -b 228 -d 10050000 -k '..passwd
141 msg('Enabling counter and setting write access to protected pages as password protected : \n\n'..command)
142 core.console(command)
143 elseif prot_mode == 'rw' then
144 command = 'hf mfu wrbl -b 228 -d 90050000 -k '..passwd
145 msg('Enabling counter and setting read/write access to protected pages as password protected : \n\n'..command)
146 core.console(command)
148 elseif counter == 'disable' then
149 if prot_mode == 'w' then
150 command = 'hf mfu wrbl -b 228 -d 00050000 -k '..passwd
151 msg('Disabling counter and setting write password protection on protected pages : \n\n'..command)
152 core.console(command)
153 elseif prot_mode == 'rw' then
154 command = 'hf mfu wrbl -b 228 -d 80050000 -k '..passwd
155 msg('Disabling counter and setting read/write password protection on protected pages : \n\n'..command)
156 core.console(command)
159 elseif mode == 'protect' then
160 command = 'hf mfu wrbl -k '..passwd..' -b 227 -d 040000'..auth0_block
161 msg('Enabling password protection from block '..auth0_block..' onwards : \n\n'..command)
162 core.console(command)
163 else
164 return print(usage)
167 if command == '' then return print(usage) end
171 main(args)