From e661df960f58a7ffe4c6b8af3b072883543848af Mon Sep 17 00:00:00 2001 From: Philippe Teuwen Date: Sun, 13 Oct 2024 22:55:01 +0200 Subject: [PATCH] Changed mf_backdoor_dump.py: use faster ecfill/eview --- CHANGELOG.md | 7 ++-- client/pyscripts/mf_backdoor_dump.py | 56 ++++++++-------------------- 2 files changed, 19 insertions(+), 44 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3de7fe0a0..05097e5fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,10 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] -- Changed `hf mf ecfill` to wait for execution and return status (@doegox) -- Added option to wait for a card to `hf 14a reader` (@doegox) -- Added support for quick dump via backdoor auth to `hf mf ecfill` (@doegox) +- Changed `mf_backdoor_dump.py`- use faster ecfill/eview (@doegox) +- Changed `hf mf ecfill` - wait for execution and return status (@doegox) +- Changed `hf 14a reader` - added option to wait for a card (@doegox) +- Changed `hf mf ecfill` - added support for quick dump via backdoor auth (@doegox) - Fixed `hf mf restore` - really skip strict ACLs unless --force (@doegox) - Added `hf 14b setuid` - set uid on magic 14b tag (@iceman1001) - Changed `hf 14b info` - now detect Tiananxin (@iceman1001) diff --git a/client/pyscripts/mf_backdoor_dump.py b/client/pyscripts/mf_backdoor_dump.py index 768622bae..bb564544d 100644 --- a/client/pyscripts/mf_backdoor_dump.py +++ b/client/pyscripts/mf_backdoor_dump.py @@ -5,12 +5,9 @@ # Based on the work in this paper: https://eprint.iacr.org/2024/1275 import pm3 -import os import sys -TOTAL_SECTORS = 16 #1k chips - -BACKDOOR_KEYS = ["A396EFA4E24F", "A31667A8CEC1", "518B3354E760"] +BACKDOOR_KEYS = [("A396EFA4E24F", "1k"), ("A31667A8CEC1", "1k"), ("518B3354E760", "4k")] WORKING_KEY = None required_version = (3, 8) @@ -21,50 +18,27 @@ if sys.version_info < required_version: p = pm3.pm3() # Test all the keys first to see which one works (if any) -for bk in BACKDOOR_KEYS: - p.console(f"hf mf rdbl -c 4 --blk 0 --key {bk}") +for bk, sz in BACKDOOR_KEYS: + p.console(f"hf mf ecfill --{sz} -c 4 -k {bk}") output = p.grabbed_output.split('\n') - if "auth error" in output[0].lower(): + if "[#] Card not found" in output: + print("Error reading the tag:") + print("\n".join(output)) + break + elif "[-] Fill ( fail )" in output: continue - elif "can't select card" in output[0].lower(): - print(f"Error reading the tag: {output[0]}") - exit() - elif len(output) < 2 or "sector 0" not in output[1].lower(): + elif "[+] Fill ( ok )" not in output: print("Unexpected output, exiting:") print("\n".join(output)) - exit() + break else: WORKING_KEY = bk break -if not WORKING_KEY: +if WORKING_KEY is None: print("None of the backdoor keys seem to work with this tag.") - exit() - -print(f"Backdoor key {WORKING_KEY} seems to work, dumping data...") -if WORKING_KEY == "518B3354E760": - print(f"Backdoor key is for a 4k chip, will attempt to dump 64 sectors instead of {TOTAL_SECTORS}") - TOTAL_SECTORS = 64 -print("IMPORTANT: Only data blocks and access bytes can be dumped; keys will be shown as all 0's") - -header = False -# Read every sector -for i in range(TOTAL_SECTORS): - p.console(f"hf mf rdsc -c 4 --key {WORKING_KEY} -s {i}") - - start = False - for line in p.grabbed_output.split('\n'): - if not header: - print(line) - elif start and len(line) > 0: - print(line) - continue - - if "----------" in line: - start = True - header = True - continue - else: - continue - +else: + print(f"Backdoor key {WORKING_KEY} seems to work, dumping data...") + print("IMPORTANT: Only data blocks and access bytes can be dumped; keys will be shown as all 0's") + p.console(f"hf mf eview --{sz}", True)