tools/pm3_mf7b_wipe.py

   1 #! /usr/bin/env python3.6
   2 # -*- coding: utf-8 -*-
   3 #
   4 #  VULNERS OPENSOURCE
   5 #  __________________
   6 #
   7 #  Vulners Project [https://vulners.com]
   8 #  All Rights Reserved.
   9 #
  10 #  Author: Kir [isox@vulners.com]
  11 #  Credits: Dennis Goh [dennis@rfidresearchgroup.com]
  12 #
  13 # This helper script is made for wiping S50 7byte UID cards with Gen2 magic commands from restored state to blank one.
  14 #
  15 # Scenario:
  16 # You want to clone 7byte Mifare 1k card using RfidResearchGroup Proxmark3 RDV4.0
  17 #
  18 # Step 1: Dumping original card and making a Mifare 7byte UID clone using S50 7byte UID
  19 #
  20 # Place original card to the reader.
  21 # Dump data and recover keys
  22 #
  23 # hf mf autopwn
  24 #
  25 # You will get data, EML and key file. Backup this file, you will need them to wipe the card back to blank state.
  26 # Place blank S50 card to the reader.
  27 #
  28 # Get first line from EML file (block0) and write it down using command
  29 #
  30 #                                      Place it here
  31 #                                            |
  32 #                                            |
  33 #                                            v
  34 # hf mf wrbl --blk 0 -b -k FFFFFFFFFFFF -d 046E46AAA53480084400120111003113
  35 #
  36 # Now restore all the data using built-in restore command
  37 #
  38 # hf mf restore
  39 #
  40 # Step 2: Recovering S50 7byte UID card to the blank state
  41 #
  42 # Find current card data files from Step 1 in your backup or if you lost them create them again using 'hf mf autopwn' command.
  43 # Place them in current working directory.
  44 #
  45 # Read hf-mf-CARD_UID-data.eml file and copy it content with CTRL-C.
  46 # Place it to the eml variable in this script.
  47 #
  48 # Check execution command and check device and command name: 'proxmark3 -c "%s" /dev/tty.usbmodemiceman1'
  49 #
  50 # Run script and review key blocks returning to default FFFFFFFFFFFF state.
  51 # Be patient! It is executing aprox 3 minutes.
  52 # Success one result looks like:
  53 #
  54 # Block 0: Success: isOk:01
  55 # Block 3: Success: isOk:01
  56 # Block 7: Success: isOk:01
  57 # Block 11: Success: isOk:01
  58 # Block 15: Success: isOk:01
  59 # Block 19: Success: isOk:01
  60 # Block 23: Success: isOk:01
  61 # Block 27: Success: isOk:01
  62 # Block 31: Success: isOk:01
  63 # Block 35: Success: isOk:01
  64 # Block 39: Success: isOk:01
  65 # Block 43: Success: isOk:01
  66 # Block 47: Success: isOk:01
  67 # Block 51: Success: isOk:01
  68 # Block 55: Success: isOk:01
  69 # Block 59: Success: isOk:01
  70 # Block 63: Success: isOk:01
  71 #
  72 # Thats it! Your S50 7byte UID card is wiped back. Now you can return back to Step 1 of this manual.
  73 #
  74 #
  75
  76 import subprocess
  77
  78 # EML data var te get keys of
  79 EML_FILE_DATA = """PLACE RAW hf-mf-CARD_UID-dump.eml FILE CONTENT OF CURRENTLY LOADED CARD HERE"""
  80 # Change your device name here if it differs from the default Proxmark3 RDV4.0
  81 PROXMARK_BIN_EXEC_STRING = './pm3 -c "%s"'
  82 # Constants
  83 DEFAULT_ACCESS_BLOCK = "FFFFFFFFFFFFFF078000FFFFFFFFFFFF"
  84 F12_KEY = "FFFFFFFFFFFF"
  85
  86 def exec_proxmark_cmd(command, retry = 2, input=""):
  87     exec_ok = False
  88     retry_c = 0
  89     while not exec_ok and retry_c < retry:
  90         sh_command = PROXMARK_BIN_EXEC_STRING % command
  91         rst = subprocess.run(sh_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, input=input.encode("utf-8"))
  92
  93         proxmark_reply = rst.stdout.decode("utf-8")
  94         proxmark_status = proxmark_reply.splitlines()[-1:][0].strip()
  95         if proxmark_status == "ok":
  96             return True, "Success: " + proxmark_status
  97         retry_c += 1
  98     return False, "Error: %s , status %s" % (proxmark_reply.splitlines()[-2:][0], proxmark_status)
  99
 100
 101 def chunk(iterable,n):
 102     """assumes n is an integer>0
 103     """
 104     iterable=iter(iterable)
 105     while True:
 106         result=[]
 107         for i in range(n):
 108             try:
 109                 a=next(iterable)
 110             except StopIteration:
 111                 break
 112             else:
 113                 result.append(a)
 114         if result:
 115             yield result
 116         else:
 117             break
 118
 119 sector_array = [sector for sector in chunk(EML_FILE_DATA.splitlines(), 4)]
 120 block = 0
 121 block_success = {}
 122
 123 for sector in sector_array:
 124     key_A = sector[3][:12]
 125     key_B = sector[3][-12:]
 126     for _block in range(0,4):
 127         if sector_array.index(sector) == 0 and block == 0:
 128             write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -b -k %s -d %s" % (block, key_B, sector[0]))
 129             if not write_status:
 130                 write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -a -k %s -d %s" % (block, key_A, sector[0]))
 131             if not write_status:
 132                 write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -a -k %s -d %s" % (block, F12_KEY, sector[0]))
 133             block_success[block] = verbose
 134
 135         elif _block == 3:
 136             write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -b -k %s -d %s" % (block, key_B, DEFAULT_ACCESS_BLOCK))
 137             if not write_status:
 138                 write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -a -k %s -d %s" % (block, key_A, DEFAULT_ACCESS_BLOCK))
 139             if not write_status:
 140                 write_status, verbose = exec_proxmark_cmd("hf mf wrbl --blk %s -a -k %s -d %s" % (block, F12_KEY, DEFAULT_ACCESS_BLOCK))
 141             block_success[block] = verbose
 142
 143         _block += 1
 144         block += 1
 145
 146 for block in block_success:
 147     print("Block %s: %s" % (block ,block_success[block]))