Changed mf_backdoor_dump.py: use faster ecfill/eview

2025-08-20 05:13:46 -07:00 · 2024-10-13 22:55:01 +02:00 · 2024-10-13 22:55:01 +02:00 · e661df960f
commit e661df960f
parent e7ff2ad1ca
2 changed files with 19 additions and 44 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,9 +3,10 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 ## [unreleased][unreleased]
- Changed `hf mf ecfill` to wait for execution and return status (@doegox)
+- Changed `mf_backdoor_dump.py`- use faster ecfill/eview (@doegox)
- Added option to wait for a card to `hf 14a reader` (@doegox)
+- Changed `hf mf ecfill` - wait for execution and return status (@doegox)
- Added support for quick dump via backdoor auth to `hf mf ecfill` (@doegox)
+- Changed `hf 14a reader` - added option to wait for a card (@doegox)
 - Changed `hf mf ecfill` - added support for quick dump via backdoor auth (@doegox)
 - Fixed `hf mf restore` - really skip strict ACLs unless --force (@doegox)
 - Added `hf 14b setuid` - set uid on magic 14b tag (@iceman1001)
 - Changed `hf 14b info` - now detect Tiananxin (@iceman1001)
--- a/client/pyscripts/mf_backdoor_dump.py
+++ b/client/pyscripts/mf_backdoor_dump.py
@ -5,12 +5,9 @@
 # Based on the work in this paper: https://eprint.iacr.org/2024/1275
 import pm3
 import os
 import sys
-TOTAL_SECTORS = 16 #1k chips
+BACKDOOR_KEYS = [("A396EFA4E24F", "1k"), ("A31667A8CEC1", "1k"), ("518B3354E760", "4k")]
 BACKDOOR_KEYS = ["A396EFA4E24F", "A31667A8CEC1", "518B3354E760"]
 WORKING_KEY = None
 required_version = (3, 8)
@ -21,50 +18,27 @@ if sys.version_info < required_version:
 p = pm3.pm3()
 # Test all the keys first to see which one works (if any)
-for bk in BACKDOOR_KEYS:
+for bk, sz in BACKDOOR_KEYS:
-    p.console(f"hf mf rdbl -c 4 --blk 0 --key {bk}")
+    p.console(f"hf mf ecfill --{sz} -c 4 -k {bk}")
    output = p.grabbed_output.split('\n')
-    if "auth error" in output[0].lower():
+    if "[#] Card not found" in output:
        print("Error reading the tag:")
        print("\n".join(output))
        break
    elif "[-]  Fill ( fail )" in output:
        continue
-    elif "can't select card" in output[0].lower():
+    elif "[+] Fill ( ok )" not in output:
        print(f"Error reading the tag: {output[0]}")
        exit()
    elif len(output) < 2 or "sector 0" not in output[1].lower():
        print("Unexpected output, exiting:")
        print("\n".join(output))
-        exit()
+        break
    else:
        WORKING_KEY = bk
        break
-if not WORKING_KEY:
+if WORKING_KEY is None:
    print("None of the backdoor keys seem to work with this tag.")
-    exit()
+else:
-
+    print(f"Backdoor key {WORKING_KEY} seems to work, dumping data...")
-print(f"Backdoor key {WORKING_KEY} seems to work, dumping data...")
+    print("IMPORTANT: Only data blocks and access bytes can be dumped; keys will be shown as all 0's")
-if WORKING_KEY == "518B3354E760":
+    p.console(f"hf mf eview --{sz}", True)
    print(f"Backdoor key is for a 4k chip, will attempt to dump 64 sectors instead of {TOTAL_SECTORS}")
    TOTAL_SECTORS = 64
 print("IMPORTANT: Only data blocks and access bytes can be dumped; keys will be shown as all 0's")
 header = False
 # Read every sector
 for i in range(TOTAL_SECTORS):
    p.console(f"hf mf rdsc -c 4 --key {WORKING_KEY} -s {i}")
    start = False
    for line in p.grabbed_output.split('\n'):
        if not header:
            print(line)
        elif start and len(line) > 0:
            print(line)
            continue
        if "----------" in line:
            start = True
            header = True
            continue
        else:
            continue