From dd8110871dce0e63bc613b7ff61de4140033f608 Mon Sep 17 00:00:00 2001 From: flamebarke <39644720+flamebarke@users.noreply.github.com> Date: Wed, 16 Nov 2022 13:23:50 +0800 Subject: [PATCH 1/3] Create hf_mfu_next.lua Add to CHANGELOG.md Rename to hf_mfu_ntag.lua Signed-off-by: flamebarke <39644720+flamebarke@users.noreply.github.com> --- client/luascripts/hf_mfu_next.lua | 171 ++++++++++++++++++++++++++++++ 1 file changed, 171 insertions(+) create mode 100644 client/luascripts/hf_mfu_next.lua diff --git a/client/luascripts/hf_mfu_next.lua b/client/luascripts/hf_mfu_next.lua new file mode 100644 index 000000000..0709fc9f8 --- /dev/null +++ b/client/luascripts/hf_mfu_next.lua @@ -0,0 +1,171 @@ +local getopt = require('getopt') +local ansicolors = require('ansicolors') + +copyright = '' +author = 'Shain Lakin' +version = 'v1.0.0' +desc =[[ + +This script modifies the DT NeXT implant (NTAG216) configuration pages. + +- NeXT Defaults - + +Default hf mfu info: +---------------------------------------------------------------------- +[=] --- Tag Configuration +[=] cfg0 [227/0xE3]: 04 00 00 E3 +[=] - strong modulation mode disabled +[=] - page 227 and above need authentication +[=] cfg1 [228/0xE4]: 00 05 00 00 +[=] - Unlimited password attempts +[=] - NFC counter disabled +[=] - NFC counter not protected +[=] - user configuration writeable +[=] - write access is protected with password +[=] - 05, Virtual Card Type Identifier is default +[=] PWD [229/0xE5]: 00 00 00 00 - (cannot be read) +[=] PACK [230/0xE6]: 00 00 - (cannot be read) +[=] RFU [230/0xE6]: 00 00 - (cannot be read) +---------------------------------------------------------------------- + +Default blocks 0xE0 to 0xE6: +------------------------------------- +[=] 224/0xE0 | 00 00 00 00 | 0 | .... +[=] 225/0xE1 | 4E 45 78 54 | 0 | NExT +[=] 226/0xE2 | 00 00 7F BD | 0 | .... +[=] 227/0xE3 | 04 00 00 E3 | 0 | .... +[=] 228/0xE4 | 00 05 00 00 | 0 | .... +[=] 229/0xE5 | 44 4E 47 52 | 0 | DNGR +[=] 230/0xE6 | 00 00 00 00 | 0 | .... +------------------------------------- +]] + +example =[[ + +Set a new password of SUDO using the default password of DNGR: + + script run hf_mfu_next -x pass -p DNGR -n SUDO + +Enable password protection from hex block 04 onwards (User memory): + + script run hf_mfu_next -x protect -p DNGR -a 04 + +Enable password protection from hex block E3 onwards (Configuration Pages): + + script run hf_mfu_next -x protect -p DNGR -a E3 + +Disable password protection: + + script run hf_mfu_next -x protect -p DNGR -a FF + +Enable the counter and enable read + write password protection on password protected pages +(protected block start page specified using -x protect mode): + + script run hf_mfu_next -x conf -p DNGR -c enable -m rw + +Disable the counter and enable write only password protection on password protected pages +(protected block start specified using -x protect mode): + + script run hf_mfu_next -x conf -p DNGR -c disable -m w + +]] +usage = [[ + + script run hf_mfu_next -x pass -p -n + script run hf_mfu_next -x protect -p -a + script run hf_mfu_next -x conf -p -c -m + +]] +arguments = [[ + -h this help + -x mode (pass, protect, conf) + -p password (ascii) + -n new password (ascii) + -a auth0 block (hex) + -c counter (enable/disable) + -m protection mode (r/rw) +]] +--- +--- Usage help +local function help() + print(copyright) + print(author) + print(version) + print(desc) + print(ansicolors.cyan..'Usage'..ansicolors.reset) + print(usage) + print(ansicolors.cyan..'Arguments'..ansicolors.reset) + print(arguments) + print(ansicolors.cyan..'Example usage'..ansicolors.reset) + print(example) +end +--- +--- Print user message +local function msg(msg) + print( string.rep('--',20) ) + print('') + print(msg) + print('') + print( string.rep('--',20) ) +end +--- +--- String to hex function +local function strhex(str) + return (str:gsub(".", function(char) return string.format("%2x", char:byte()) end)) + end +--- +-- Main +local function main(args) + + for o, a in getopt.getopt(args, 'b:m:c:a:p:x:n:h') do + if o == 'm' then prot_mode = a end + if o == 'c' then counter = a end + if o == 'a' then auth0_block = a end + if o == 'p' then passwd = strhex(a) end + if o == 'x' then mode = a end + if o == 'n' then new_pass = strhex(a) end + if o == 'h' then return help() end + end + + if mode == 'pass' then + command = 'hf mfu wrbl -b 229 -d '..new_pass..' -k '..passwd + msg('Writing '..new_pass..' to PASSWD block (229/0xE5) : \n\n'..command) + core.console(command) + command = 'hf mfu rdbl -b 0 -k '..new_pass..'' + msg('Verifying password is correctly set : \n\n'..command) + core.console(command) + elseif mode == 'conf' then + if counter == 'enable' then + if prot_mode == 'r' then + command = 'hf mfu wrbl -b 228 -d 10050000 -k '..passwd + msg('Enabling counter and setting write access to protected pages as password protected : \n\n'..command) + core.console(command) + elseif prot_mode == 'rw' then + command = 'hf mfu wrbl -b 228 -d 90050000 -k '..passwd + msg('Enabling counter and setting read/write access to protected pages as password protected : \n\n'..command) + core.console(command) + end + elseif counter == 'disable' then + if prot_mode == 'w' then + command = 'hf mfu wrbl -b 228 -d 00050000 -k '..passwd + msg('Disabling counter and setting write password protection on protected pages : \n\n'..command) + core.console(command) + elseif prot_mode == 'rw' then + command = 'hf mfu wrbl -b 228 -d 80050000 -k '..passwd + msg('Disabling counter and setting read/write password protection on protected pages : \n\n'..command) + core.console(command) + end + end + elseif mode == 'protect' then + command = 'hf mfu wrbl -k '..passwd..' -b 227 -d 040000'..auth0_block + msg('Enabling password protection from block '..auth0_block..' onwards : \n\n'..command) + core.console(command) + else + return print(usage) + end + + if command == '' then return print(usage) end + + +end +main(args) From 6381a1924353e85559f1218e373dfaefe6df92c9 Mon Sep 17 00:00:00 2001 From: Shain Lakin Date: Wed, 16 Nov 2022 14:10:45 +0800 Subject: [PATCH 2/3] Rename to hf_mfu_next.lua Add entry to changelog.md --- client/luascripts/hf_mfu_next.lua | 171 ------------------------------ 1 file changed, 171 deletions(-) delete mode 100644 client/luascripts/hf_mfu_next.lua diff --git a/client/luascripts/hf_mfu_next.lua b/client/luascripts/hf_mfu_next.lua deleted file mode 100644 index 0709fc9f8..000000000 --- a/client/luascripts/hf_mfu_next.lua +++ /dev/null @@ -1,171 +0,0 @@ -local getopt = require('getopt') -local ansicolors = require('ansicolors') - -copyright = '' -author = 'Shain Lakin' -version = 'v1.0.0' -desc =[[ - -This script modifies the DT NeXT implant (NTAG216) configuration pages. - -- NeXT Defaults - - -Default hf mfu info: ----------------------------------------------------------------------- -[=] --- Tag Configuration -[=] cfg0 [227/0xE3]: 04 00 00 E3 -[=] - strong modulation mode disabled -[=] - page 227 and above need authentication -[=] cfg1 [228/0xE4]: 00 05 00 00 -[=] - Unlimited password attempts -[=] - NFC counter disabled -[=] - NFC counter not protected -[=] - user configuration writeable -[=] - write access is protected with password -[=] - 05, Virtual Card Type Identifier is default -[=] PWD [229/0xE5]: 00 00 00 00 - (cannot be read) -[=] PACK [230/0xE6]: 00 00 - (cannot be read) -[=] RFU [230/0xE6]: 00 00 - (cannot be read) ----------------------------------------------------------------------- - -Default blocks 0xE0 to 0xE6: -------------------------------------- -[=] 224/0xE0 | 00 00 00 00 | 0 | .... -[=] 225/0xE1 | 4E 45 78 54 | 0 | NExT -[=] 226/0xE2 | 00 00 7F BD | 0 | .... -[=] 227/0xE3 | 04 00 00 E3 | 0 | .... -[=] 228/0xE4 | 00 05 00 00 | 0 | .... -[=] 229/0xE5 | 44 4E 47 52 | 0 | DNGR -[=] 230/0xE6 | 00 00 00 00 | 0 | .... -------------------------------------- -]] - -example =[[ - -Set a new password of SUDO using the default password of DNGR: - - script run hf_mfu_next -x pass -p DNGR -n SUDO - -Enable password protection from hex block 04 onwards (User memory): - - script run hf_mfu_next -x protect -p DNGR -a 04 - -Enable password protection from hex block E3 onwards (Configuration Pages): - - script run hf_mfu_next -x protect -p DNGR -a E3 - -Disable password protection: - - script run hf_mfu_next -x protect -p DNGR -a FF - -Enable the counter and enable read + write password protection on password protected pages -(protected block start page specified using -x protect mode): - - script run hf_mfu_next -x conf -p DNGR -c enable -m rw - -Disable the counter and enable write only password protection on password protected pages -(protected block start specified using -x protect mode): - - script run hf_mfu_next -x conf -p DNGR -c disable -m w - -]] -usage = [[ - - script run hf_mfu_next -x pass -p -n - script run hf_mfu_next -x protect -p -a - script run hf_mfu_next -x conf -p -c -m - -]] -arguments = [[ - -h this help - -x mode (pass, protect, conf) - -p password (ascii) - -n new password (ascii) - -a auth0 block (hex) - -c counter (enable/disable) - -m protection mode (r/rw) -]] ---- ---- Usage help -local function help() - print(copyright) - print(author) - print(version) - print(desc) - print(ansicolors.cyan..'Usage'..ansicolors.reset) - print(usage) - print(ansicolors.cyan..'Arguments'..ansicolors.reset) - print(arguments) - print(ansicolors.cyan..'Example usage'..ansicolors.reset) - print(example) -end ---- ---- Print user message -local function msg(msg) - print( string.rep('--',20) ) - print('') - print(msg) - print('') - print( string.rep('--',20) ) -end ---- ---- String to hex function -local function strhex(str) - return (str:gsub(".", function(char) return string.format("%2x", char:byte()) end)) - end ---- --- Main -local function main(args) - - for o, a in getopt.getopt(args, 'b:m:c:a:p:x:n:h') do - if o == 'm' then prot_mode = a end - if o == 'c' then counter = a end - if o == 'a' then auth0_block = a end - if o == 'p' then passwd = strhex(a) end - if o == 'x' then mode = a end - if o == 'n' then new_pass = strhex(a) end - if o == 'h' then return help() end - end - - if mode == 'pass' then - command = 'hf mfu wrbl -b 229 -d '..new_pass..' -k '..passwd - msg('Writing '..new_pass..' to PASSWD block (229/0xE5) : \n\n'..command) - core.console(command) - command = 'hf mfu rdbl -b 0 -k '..new_pass..'' - msg('Verifying password is correctly set : \n\n'..command) - core.console(command) - elseif mode == 'conf' then - if counter == 'enable' then - if prot_mode == 'r' then - command = 'hf mfu wrbl -b 228 -d 10050000 -k '..passwd - msg('Enabling counter and setting write access to protected pages as password protected : \n\n'..command) - core.console(command) - elseif prot_mode == 'rw' then - command = 'hf mfu wrbl -b 228 -d 90050000 -k '..passwd - msg('Enabling counter and setting read/write access to protected pages as password protected : \n\n'..command) - core.console(command) - end - elseif counter == 'disable' then - if prot_mode == 'w' then - command = 'hf mfu wrbl -b 228 -d 00050000 -k '..passwd - msg('Disabling counter and setting write password protection on protected pages : \n\n'..command) - core.console(command) - elseif prot_mode == 'rw' then - command = 'hf mfu wrbl -b 228 -d 80050000 -k '..passwd - msg('Disabling counter and setting read/write password protection on protected pages : \n\n'..command) - core.console(command) - end - end - elseif mode == 'protect' then - command = 'hf mfu wrbl -k '..passwd..' -b 227 -d 040000'..auth0_block - msg('Enabling password protection from block '..auth0_block..' onwards : \n\n'..command) - core.console(command) - else - return print(usage) - end - - if command == '' then return print(usage) end - - -end -main(args) From 789e338c4fd939436900208bbcd0242482e9eaf5 Mon Sep 17 00:00:00 2001 From: Shain Lakin Date: Wed, 16 Nov 2022 14:14:50 +0800 Subject: [PATCH 3/3] Renamed to hf_mfu_ntag Modified CHANGELOG.md --- CHANGELOG.md | 1 + client/luascripts/hf_mfu_ntag.lua | 171 ++++++++++++++++++++++++++++++ 2 files changed, 172 insertions(+) create mode 100644 client/luascripts/hf_mfu_ntag.lua diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f75478e7..afe7f7fe4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Added luascript `hf_mfu_ntag` - Script for configuring NTAG216 configuration pages (@flamebarke) - Changed `hf mf hardnested` - a detection for static encrypted nonces (@iceman1001) - Added requirements.txt file to tools folder. Minimum to run pm3_tests.sh (@iceman1001) - Changed `hf mf hardnested` - now can detect and use MFC EV1 signature sector key (@iceman1001) diff --git a/client/luascripts/hf_mfu_ntag.lua b/client/luascripts/hf_mfu_ntag.lua new file mode 100644 index 000000000..0709fc9f8 --- /dev/null +++ b/client/luascripts/hf_mfu_ntag.lua @@ -0,0 +1,171 @@ +local getopt = require('getopt') +local ansicolors = require('ansicolors') + +copyright = '' +author = 'Shain Lakin' +version = 'v1.0.0' +desc =[[ + +This script modifies the DT NeXT implant (NTAG216) configuration pages. + +- NeXT Defaults - + +Default hf mfu info: +---------------------------------------------------------------------- +[=] --- Tag Configuration +[=] cfg0 [227/0xE3]: 04 00 00 E3 +[=] - strong modulation mode disabled +[=] - page 227 and above need authentication +[=] cfg1 [228/0xE4]: 00 05 00 00 +[=] - Unlimited password attempts +[=] - NFC counter disabled +[=] - NFC counter not protected +[=] - user configuration writeable +[=] - write access is protected with password +[=] - 05, Virtual Card Type Identifier is default +[=] PWD [229/0xE5]: 00 00 00 00 - (cannot be read) +[=] PACK [230/0xE6]: 00 00 - (cannot be read) +[=] RFU [230/0xE6]: 00 00 - (cannot be read) +---------------------------------------------------------------------- + +Default blocks 0xE0 to 0xE6: +------------------------------------- +[=] 224/0xE0 | 00 00 00 00 | 0 | .... +[=] 225/0xE1 | 4E 45 78 54 | 0 | NExT +[=] 226/0xE2 | 00 00 7F BD | 0 | .... +[=] 227/0xE3 | 04 00 00 E3 | 0 | .... +[=] 228/0xE4 | 00 05 00 00 | 0 | .... +[=] 229/0xE5 | 44 4E 47 52 | 0 | DNGR +[=] 230/0xE6 | 00 00 00 00 | 0 | .... +------------------------------------- +]] + +example =[[ + +Set a new password of SUDO using the default password of DNGR: + + script run hf_mfu_next -x pass -p DNGR -n SUDO + +Enable password protection from hex block 04 onwards (User memory): + + script run hf_mfu_next -x protect -p DNGR -a 04 + +Enable password protection from hex block E3 onwards (Configuration Pages): + + script run hf_mfu_next -x protect -p DNGR -a E3 + +Disable password protection: + + script run hf_mfu_next -x protect -p DNGR -a FF + +Enable the counter and enable read + write password protection on password protected pages +(protected block start page specified using -x protect mode): + + script run hf_mfu_next -x conf -p DNGR -c enable -m rw + +Disable the counter and enable write only password protection on password protected pages +(protected block start specified using -x protect mode): + + script run hf_mfu_next -x conf -p DNGR -c disable -m w + +]] +usage = [[ + + script run hf_mfu_next -x pass -p -n + script run hf_mfu_next -x protect -p -a + script run hf_mfu_next -x conf -p -c -m + +]] +arguments = [[ + -h this help + -x mode (pass, protect, conf) + -p password (ascii) + -n new password (ascii) + -a auth0 block (hex) + -c counter (enable/disable) + -m protection mode (r/rw) +]] +--- +--- Usage help +local function help() + print(copyright) + print(author) + print(version) + print(desc) + print(ansicolors.cyan..'Usage'..ansicolors.reset) + print(usage) + print(ansicolors.cyan..'Arguments'..ansicolors.reset) + print(arguments) + print(ansicolors.cyan..'Example usage'..ansicolors.reset) + print(example) +end +--- +--- Print user message +local function msg(msg) + print( string.rep('--',20) ) + print('') + print(msg) + print('') + print( string.rep('--',20) ) +end +--- +--- String to hex function +local function strhex(str) + return (str:gsub(".", function(char) return string.format("%2x", char:byte()) end)) + end +--- +-- Main +local function main(args) + + for o, a in getopt.getopt(args, 'b:m:c:a:p:x:n:h') do + if o == 'm' then prot_mode = a end + if o == 'c' then counter = a end + if o == 'a' then auth0_block = a end + if o == 'p' then passwd = strhex(a) end + if o == 'x' then mode = a end + if o == 'n' then new_pass = strhex(a) end + if o == 'h' then return help() end + end + + if mode == 'pass' then + command = 'hf mfu wrbl -b 229 -d '..new_pass..' -k '..passwd + msg('Writing '..new_pass..' to PASSWD block (229/0xE5) : \n\n'..command) + core.console(command) + command = 'hf mfu rdbl -b 0 -k '..new_pass..'' + msg('Verifying password is correctly set : \n\n'..command) + core.console(command) + elseif mode == 'conf' then + if counter == 'enable' then + if prot_mode == 'r' then + command = 'hf mfu wrbl -b 228 -d 10050000 -k '..passwd + msg('Enabling counter and setting write access to protected pages as password protected : \n\n'..command) + core.console(command) + elseif prot_mode == 'rw' then + command = 'hf mfu wrbl -b 228 -d 90050000 -k '..passwd + msg('Enabling counter and setting read/write access to protected pages as password protected : \n\n'..command) + core.console(command) + end + elseif counter == 'disable' then + if prot_mode == 'w' then + command = 'hf mfu wrbl -b 228 -d 00050000 -k '..passwd + msg('Disabling counter and setting write password protection on protected pages : \n\n'..command) + core.console(command) + elseif prot_mode == 'rw' then + command = 'hf mfu wrbl -b 228 -d 80050000 -k '..passwd + msg('Disabling counter and setting read/write password protection on protected pages : \n\n'..command) + core.console(command) + end + end + elseif mode == 'protect' then + command = 'hf mfu wrbl -k '..passwd..' -b 227 -d 040000'..auth0_block + msg('Enabling password protection from block '..auth0_block..' onwards : \n\n'..command) + core.console(command) + else + return print(usage) + end + + if command == '' then return print(usage) end + + +end +main(args)