Add Mifare Ultralight bruteforce support to hf_bruteforce lua script

2025-08-21 05:43:48 -07:00 · 2020-03-11 18:23:37 +11:00 · 2020-03-11 18:23:37 +11:00 · fa1103bbc3
commit fa1103bbc3
parent 52618303f3
3 changed files with 56 additions and 30 deletions
--- a/client/luascripts/hf_bruteforce.lua
+++ b/client/luascripts/hf_bruteforce.lua
@ -1,27 +1,34 @@
-- Run me like this: proxmark3 /dev/rfcomm0 -l ./hf_bruteforce.lua
+-- Run me like this (connected via USB): ./pm3 -l hf_bruteforce.lua
+-- Run me like this (connected via Blueshark addon): ./client/proxmark3 /dev/rfcomm0 -l ./hf_bruteforce.lua

 local getopt = require('getopt')

 copyright = ''
-author = 'Keld Norman'
-version = 'v1.0.0'
-desc = [[
-
-]]
-example = [[
-    --  (the above example would bruteforce card number, starting at 1, ending at 10, and waiting 1 second between each card)
-
-    script run hf_bruteforce -s 1 -e 10 -t 1000
-]]
+author = 'Daniel Underhay (updated), Keld Norman(original)'
+version = 'v2.0.0'
 usage = [[

-script run hf_bruteforce -s start_id -e end_id -t timeout -d direction
+pm3 --> script run hf_bruteforce -s start_id -e end_id -t timeout -x mifare_card_type

 Arguments:
    -h       this help
    -s       0-0xFFFFFFFF         start id
    -e       0-0xFFFFFFFF         end id
-    -t       0-99999, pause      timeout (ms) between cards (use the word 'pause' to wait for user input)
+    -t       0-99999, pause       timeout (ms) between cards (use the word 'pause' to wait for user input)
+    -x       mfc, mfu             mifare type: mfc for Mifare Classic (default) or mfu for Mifare Ultralight EV1
+
+
+Example:
+
+pm3 --> script run hf_bruteforce -s 0x11223344 -e 0x11223346 -t 1000 -x mfc
+
+Bruteforce a 4 byte UID Mifare classic card number, starting at 11223344, ending at 11223346.
+
+
+pm3 --> script run hf_bruteforce -s 0x11223344556677 -e 0x11223344556679 -t 1000 -x mfu
+
+Bruteforce a 7 byte UID Mifare Ultralight card number, starting at 11223344556677, ending at 11223344556679.
+
 ]]


@ -60,41 +67,49 @@ local function help()
    print(usage)
 end
 ---
-- Exit message
-local function exitMsg(msg)
+--- Print user message
+local function msg(msg)
 print( string.rep('--',20) )
+ print('')
 print(msg)
+ print('')
 print( string.rep('--',20) )
- print()
 end
 ---
 -- Start
 local function main(args)

-    print( string.rep('--',20) )
-    print( string.rep('--',20) )
-    print()
    local timeout = 0
    local start_id = 0
-    local end_id = 0xFFFFFFFF
+    local end_id = 0xFFFFFFFFFFFFFF
+    local mftype = 'mfc'

-    for o, a in getopt.getopt(args, 'e:s:t:h') do
+    for o, a in getopt.getopt(args, 'e:s:t:x:h') do
        if o == 's' then start_id = a end
        if o == 'e' then end_id = a end
        if o == 't' then timeout = a end
+        if o == 'x' then mftype = a end
        if o == 'h' then return print(usage) end
    end

    -- template
-	local command = 'hf 14a sim t 1 u %08X'
+    local command = ''

-	print(' Bruteforcing MFC card numbers from 00000000 to FFFFFFFF using delay: '..timeout)
-    print('')
-    print( string.rep('--',20) )
+    if mftype == 'mfc' then
+        command = 'hf 14a sim t 1 u %14X'
+        msg('Bruteforcing Mifare Classic card numbers')
+    elseif mftype == 'mfu' then
+        command = 'hf 14a sim t 2 u %14X'
+        msg('Bruteforcing Mifare Ultralight card numbers')
+    else
+        return print(usage)
+    end
+
+    if command == '' then return print(usage) end

    for n = start_id, end_id do
        local c = string.format( command, n )
-        print(' Running: "'..c..'"')
+        print('Running: "'..c..'"')
        core.console(c)
 		core.console('msleep '..timeout);
        core.console('hw ping')
@ -102,4 +117,3 @@ local function main(args)

 end
 main(args)
-