github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-20 05:13:46 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

rework script

Browse source
This commit is contained in:
iceman1001 2020-03-21 10:04:03 +01:00
commit 4443ae5500
1 changed files with 105 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

189
client/luascripts/hf-writer.lua
View file

@ -1,33 +1,45 @@
local utils = require('utils') local utils = require('utils')
local getopt = require('getopt') local getopt = require('getopt')
local read14a = require('read14a') local read14a = require('read14a')
local uid = {} -- Array for eml files
local B = {} -- Array for B keys [[--
local eml = {} -- Array for data in block 32 dig ---Suggestions of improvement:
local a = 0 --- Add support another types of dumps: BIN, JSON
local b = 0 --- Maybe it will be not only as `mfc_gen3_writer`, like a universal dump manager.
local tab = string.rep('-', 64) --- Add undependence from the operation system. At the moment code not working in Linux.
--- Add more chinesse backdoors RAW commands for UID changing (find RAW for the 4 byte familiar chinese card, from native it soft: http://bit.ly/39VIDsU)
--- Hide system messages when you writing a dumps, replace it to some of like [#####----------] 40%
-- iceman notes:
-- doesn't take consideration filepaths for dump files.
-- doesn't allow A keys for authenticating when writing
-- doesn't verify that card is magic gen3.
--]]
copyright = '' copyright = ''
author = 'Winds' author = 'Winds'
version = 'v1.0.0' version = 'v1.0.0'
desc = [[ desc = [[
That's script gives for you a easy way to write your an *.eml dumps, using a Proxmark 3. The script gives you a easy way to write your *.eml dumps onto normal MFC and magic Gen3 cards.
It's working for 4 and 7 bytes NXP MIFARE Classic 1K cards.
The script has including an injection of UID changig for the Chinese Magic Cards GEN 3.
Whith choosen an *.eml file you can do:
1. Write it to the equals of current card UID. Works with both 4 and 7 bytes NXP MIFARE Classic 1K cards.
2. Write it to anther card with changable UID. The script also has the possibility to change UID and permanent lock uid on magic Gen3 cards.
3. Send command to lock UID for the Chinese Magic Cards GEN 3.
4. Erease all data at the card and set the FFFFFFFFFFFF keys, and Access Conditions to 78778800. It supports the following functionality.
1. Write it to the same of current card UID.
2. Write it to magic Gen3 card.
3. Change uid to match dump on magic Gen3 card.
4. Permanent lock UID on magic Gen3 card.
5. Erase all data at the card and set the FF FF FF FF FF FF keys, and Access Conditions to 78778800.
Script works in a wizard styled way.
]] ]]
example = [[ example = [[
1. script run hf-writer 1. script run mfc_gen3_writer
]] ]]
usage = [[ usage = [[
You should choose your *.eml dump from being list to write it to the card by wizard Select your *.eml dump from list to write to the card.
]] ]]
--- ---
@ -40,135 +52,144 @@ local function help()
print(example) print(example)
print(usage) print(usage)
end end
---
local function read() -- GetUID
u = read14a.read(true, true).uid local function GetUID()
return u return read14a.read(true, true).uid
end end
---
local function fkey() --
f = 'FFFFFFFFFFFF' local function dropfield()
return f
end
local function finish()
read14a.disconnect() read14a.disconnect()
core.clearCommandBuffer() core.clearCommandBuffer()
end end
---
-- Wait for tag (MFC)
local function wait() local function wait()
read14a.waitFor14443a() read14a.waitFor14443a()
end end
---
--
local function main(args) local function main(args)
-- Arguments for the script -- Arguments for the script
for o, a in getopt.getopt(args, 'h') do for o, a in getopt.getopt(args, 'h') do
if o == 'h' then return help() end if o == 'h' then return help() end
end end
--File lienght check for detect 4 or 7 bytes local files = {} -- Array for eml files
local b_keys = {} -- Array for B keys
local eml = {} -- Array for data in block 32
local num_dumps = 0 -- num of found eml dump files
local tab = string.rep('-', 64)
--
wait() wait()
print(tab) print(tab)
if string.len(read()) == 14 then -- Detect 7 byte card
l = 29 -- 7 byte length of eml file local length = 23
s = 7 local e = 14
-- Detect 7 byte card
if string.len(GetUID()) == 14 then
length = 29
e = 20 e = 20
else
l = 23 -- 4 byte length of eml file
s = 7
e = 14
end end
---Listern EML files at Client catalog
---List all EML files in /client
for _ in io.popen([[dir ".\" /b]]):lines() do -- for UNIX: ls for _ in io.popen([[dir ".\" /b]]):lines() do -- for UNIX: ls
if string.find(_, '%.eml$') then if string.find(_, '%.eml$') then
if string.len(_) == l then -- There length of eml file
a = a + 1 if string.len(_) == length then -- The length of eml file
uid[a] = string.sub(tostring(_), s, e) -- Cut UID from eml file num_dumps = num_dumps + 1
print(' ' .. a .. ' ' .. '|' .. ' ' .. uid[a]) files[num_dumps] = string.sub(tostring(_), 7, e) -- Cut UID from eml file
print(' '..num_dumps..' | '..files[a])
end end
end end
end end
print(tab) print(tab)
print(' Your card has ' .. read() .. ' UID number\n') print(' Your card has UID '..GetUID())
print(' Choice your dump number to write (from 1 until ' .. a .. ')') print('')
print(' Select which dump to write (1 until '..num_dumps..')')
print(tab) print(tab)
io.write(' --> ') io.write(' --> ')
local no = tonumber(io.read()) local no = tonumber(io.read())
local dump = io.open('./hf-mf-' .. uid[no] .. '-data.eml', 'r'); local dump = io.open('./hf-mf-' .. files[no] .. '-data.eml', 'r');
print(tab) print(tab)
print(' You have been selected ' .. no .. ' card dump, it UID is ' .. uid[no]) print(' You have been selected ' .. no .. ' card dump, with UID : '..files[no])
---EML get B key from opened EML file
--- Load eml file
for _ in dump:lines() do table.insert(eml, _); end for _ in dump:lines() do table.insert(eml, _); end
--- Extract B key from EML file
local b = 0
for i = 1, #eml do for i = 1, #eml do
print('line is type: ', type(eml[i]) )
if (i % 4 == 0) then if (i % 4 == 0) then
repeat repeat
b = b + 1 b = b + 1
B[b] = string.sub(tostring(eml[i]), (string.len(eml[i]) - 11), -- Cut key from block
string.len(eml[i])) -- Cut key from block b_keys[b] = string.sub(tostring(eml[i]), (string.len(eml[i]) - 11), string.len(eml[i]))
until b % 4 == 0 until b % 4 == 0
end end
end end
print(tab)
print(tab) --- Change UID on certain version of magic Gen3 card.
---UID Changing if (utils.confirm(' Change UID ?') == true) then
if (utils.confirm(' Do the UID changing?') == true) then
wait() wait()
core.console('hf 14a raw -s -c -t 2000 90f0cccc10' .. tostring(eml[1])) core.console('hf 14a raw -s -c -t 2000 90f0cccc10'..tostring(eml[1]))
print(tab) print(tab)
print(' The new card UID is: ' .. read()) print(' The new card UID : ' .. GetUID())
end end
print(tab) print(tab)
---UID Blocking
if (utils.confirm(' Would you like to BLOCK the UID for any changing?') == true) then --- Lock UID
if (utils.confirm(' Permanent lock UID ? (card can never change uid again) ') == true) then
wait() wait()
core.console('hf 14a raw -s -c -t 2000 90fd111100') core.console('hf 14a raw -s -c -t 2000 90fd111100')
end end
print(tab)
--- Writing blocks
local default_key = 'FFFFFFFFFFFF'
local default_key_blk = 'FFFFFFFFFFFF78778800FFFFFFFFFFFF'
local empty = string.rep('0', 32)
local cmd_wrbl = 'hf mf wrbl %d B %s %s'
print(tab) if (utils.confirm(' Are you using a empty card with default key?') == true) then
---Wriiting block
if (utils.confirm(' At this case are you using a Blank Card?') == true) then
wait() wait()
for i = 1, #eml do for i = 1, #eml do
core.console('hf mf wrbl ' .. (i - 1) .. ' B ' .. fkey() .. ' ' .. core.console(string.format(cmd_wrbl, (i-1), default_key, eml[i]))
tostring(eml[i]))
end end
print(tab)
else else
print(tab) print(tab)
if (utils.confirm( if (utils.confirm(' Delete ALL data and write all keys to 0x'..default_key..' ?') == true) then
' Do you wishing DELETE ALL DATA and rewrite all keys to ' .. fkey() ..
'?') == true) then
wait() wait()
for i = 1, #eml do for i = 1, #eml do
if (i % 4 == 0) then if (i % 4 == 0) then
core.console( core.console(string.format(cmd_wrbl, (i-1), b_keys[i], default_key_blk))
'hf mf wrbl ' .. (i - 1) .. ' B ' .. tostring(B[i]) .. ' ' ..
fkey() .. '78778800' .. fkey())
else else
core.console( core.console(string.format(cmd_wrbl, (i-1), b_keys[i], empty))
'hf mf wrbl ' .. (i - 1) .. ' B ' .. tostring(B[i]) .. ' ' ..
string.rep('0', 32))
end end
end end
else else
print(tab)
print('Writing to card')
wait() wait()
for i = 1, #eml do for i = 1, #eml do
core.console('hf mf wrbl ' .. (i - 1) .. ' B ' .. tostring(B[i]) .. core.console(string.format(cmd_wrbl, (i-1), b_keys[i], eml[i]))
' ' .. tostring(eml[i]))
end end
end end
end end
finish() dropfield()
print(tab)
print('Done')
end end
main(args)
---General thinks for the future: main(args)
---Add support another types of dumps: BIN, JSON
---Maybe it will be not only as `hf-writer`, like a universal dump manager.
---Add undependence from the operation system. At the moment code not working in Linux.
---Add more chinesse backdoors RAW commands for UID changing (find RAW for the 4 byte familiar chinese card, from native it soft: http://bit.ly/39VIDsU)
---Hide system messages when you writing a dumps, replace it to some of like [#####----------] 40%