mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2025-08-20 21:33:47 -07:00
CHG: 'mem load' - the possibility to upload default_iclass_keys.dic, default_keys.dic, default_pwd.dic to predefined flashmemory sections. These will be used in pwd / key checking algorithms on device.
CHG: 'script run read_pwd_mem.lua' - script now can print those uploaded dictionary files. How to upload pm3 --> mem load f default_iclass_keys i pm3 --> mem load f default_keys m pm3 --> mem load f default_pwd t How to validate / view PM3 -->scr run read_pwd_mem -o 237568 -k 8 pm3 -->scr run read_pwd_mem -o 241664 -k 6 pm3 -->scr run read_pwd_mem -o 245760 -k 4
This commit is contained in:
iceman1001
parent
75d0b0b06f
commit
0fb0c35308
9 changed files with 276 additions and 65 deletions
|
|
@ -1,23 +1,29 @@
|
|||
local getopt = require('getopt')
|
||||
local bin = require('bin')
|
||||
|
||||
copyright = 'Copyright (c) 2018 Bogito. All rights reserved.'
|
||||
author = "Bogito"
|
||||
version = 'v1.0.0'
|
||||
desc =[[
|
||||
version = 'v1.0.1'
|
||||
desc =
|
||||
[[
|
||||
This script will read the flash memory of RDV4 and print the stored passwords.
|
||||
It was meant to be used as a help tool after using the BogRun standalone mode.
|
||||
|
||||
(Iceman) script adapted to read and print keys in the default dictionary flashmemory sections.
|
||||
]]
|
||||
usage = [[
|
||||
usage =
|
||||
[[
|
||||
Usage:
|
||||
script run read_pwd_mem -h -o <offset> -l <length>
|
||||
script run read_pwd_mem -h -o <offset> -l <length> -k <keylength>
|
||||
|
||||
Arguments:
|
||||
-h : this help
|
||||
-o <OFFSET> : Memory offset. Default is 0.
|
||||
-l <LENGTH> : Length in bytes. Default is 256.
|
||||
-h : this help
|
||||
-o <offset> : memory offset, default is 0
|
||||
-l <length> : length in bytes, default is 256
|
||||
-k <keylen> : key length in bytes <4|6|8> , default is 4
|
||||
]]
|
||||
example =[[
|
||||
Examples:
|
||||
example =
|
||||
[[
|
||||
-- This will scan the first 256 bytes of flash memory for stored passwords
|
||||
script run read_pwd_mem
|
||||
|
||||
|
|
@ -26,61 +32,103 @@ Examples:
|
|||
|
||||
-- This will scan 32 bytes of flash memory at offset 64 for stored passwords
|
||||
script run read_pwd_mem -o 64 -l 32
|
||||
|
||||
-- This will print found
|
||||
script run read_pwd_mem -o 241664 -k 6
|
||||
]]
|
||||
|
||||
---
|
||||
-- This is only meant to be used when errors occur
|
||||
local function oops(err)
|
||||
print("ERROR: ", err)
|
||||
return nil, err
|
||||
end
|
||||
---
|
||||
-- Usage help
|
||||
local function help()
|
||||
print(copyright)
|
||||
print(version)
|
||||
print(desc)
|
||||
print(usage)
|
||||
print('Example usage:')
|
||||
print(example)
|
||||
end
|
||||
|
||||
---
|
||||
-- The main entry point
|
||||
local function main(args)
|
||||
|
||||
local data, err, quadlet, pwdcnt
|
||||
print( string.rep('--',20) )
|
||||
print( string.rep('--',20) )
|
||||
print()
|
||||
|
||||
local data, err, quadlet
|
||||
local cnt = 0
|
||||
local offset = 0
|
||||
local length = 256
|
||||
local keylength = 4
|
||||
local usedkey = false
|
||||
|
||||
-- Read the parameters
|
||||
for o, a in getopt.getopt(args, 'ho:l:') do
|
||||
for o, a in getopt.getopt(args, 'ho:l:k:') do
|
||||
|
||||
-- help
|
||||
if o == "h" then return help() end
|
||||
|
||||
-- offset
|
||||
if o == "o" then offset = tonumber(a) end
|
||||
|
||||
-- num of bytes to read
|
||||
if o == "l" then length = tonumber(a) end
|
||||
|
||||
-- keylength
|
||||
if o == "k" then keylength = tonumber(a); usedkey = true end
|
||||
end
|
||||
|
||||
if length < 0 or length > 256 then
|
||||
return print('Error: Length is not valid. Must be less than 256')
|
||||
return oops('Error: Length is not valid. Must be less than 256')
|
||||
end
|
||||
|
||||
if ((offset < 0) or (offset % 4 ~= 0)) then
|
||||
return print('Error: Offset is not valid. Mod-4 values are only allowed.')
|
||||
if (offset < 0) or (offset % 4 ~= 0) then
|
||||
return oops('Error: Offset is not valid. Mod-4 values are only allowed.')
|
||||
end
|
||||
|
||||
print('Offset: ' .. offset)
|
||||
print('Length: ' .. length)
|
||||
print()
|
||||
print('Memory offset', offset)
|
||||
print('Length ', length)
|
||||
print('Key length ', keylength)
|
||||
print( string.rep('--',20) )
|
||||
|
||||
data, err = core.GetFromFlashMem(offset, length)
|
||||
if usedkey then length = 4096 end
|
||||
|
||||
data, err = core.GetFromFlashMem(offset, length)
|
||||
if err then return oops(err) end
|
||||
|
||||
if err then
|
||||
print(err)
|
||||
return
|
||||
if usedkey then
|
||||
|
||||
_, keys, s = bin.unpack('SH'..length-2, data)
|
||||
if keys == 0xFFFF then return "No keys found in section" end
|
||||
|
||||
local kl = keylength * 2
|
||||
for i = 1, keys do
|
||||
|
||||
key = string.sub(s, (i - 1) * kl + 1, i * kl )
|
||||
print(string.format("[%02d] %s",i, key))
|
||||
end
|
||||
print( string.rep('--',20) )
|
||||
print( ('[+] found %d passwords'):format(keys))
|
||||
else
|
||||
|
||||
_, s = bin.unpack('H'..length, data)
|
||||
|
||||
local cnt = 0, i
|
||||
for i = 1, (length/keylength) do
|
||||
|
||||
key = string.sub(s, (i-1)*8+1, i*8)
|
||||
if key == "FFFFFFFF" then break end
|
||||
print(string.format("[%02d] %s",i, key))
|
||||
cnt = cnt + 1
|
||||
end
|
||||
print( string.rep('--',20) )
|
||||
print( ('[+] found %d passwords'):format(cnt))
|
||||
end
|
||||
|
||||
local count, s = bin.unpack('H'..length, data)
|
||||
|
||||
pwdcnt = 0
|
||||
for i = 1,(length/4),1
|
||||
do
|
||||
quadlet = string.sub(s, (i-1)*8+1, i*8)
|
||||
if quadlet == "FFFFFFFF" then break end
|
||||
print(string.format("[%02d]",i) .. ' ' .. quadlet)
|
||||
pwdcnt = pwdcnt + 1
|
||||
|
||||
end
|
||||
print()
|
||||
print('Found passwords: ' .. pwdcnt)
|
||||
|
||||
print( string.rep('--',20) )
|
||||
end
|
||||
|
||||
main(args)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue