Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2013-09-19 22:09:22

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Scripting committed to trunk

So, it's in trunk, finally.

I hope to add a few scripts, there are several in I have in mind. Write here about any problems or questions with the scripting-things. I'll update this topic with more information later on, a bit late right now.

Offline

#2 2013-09-20 08:32:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Scripting committed to trunk

Great work getting the scripting branch into the trunc.

However I can't compile it under win7.  I read your note about -ldl and removed it from line 16 inside the client/Makefile.
After this change, it compiles.

Offline

#3 2013-09-20 11:08:25

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

Ah, I made a mistake. I fixed so -ldl is added for linux builds, but forgot to remove the flag for windows. Fixed in r774.. Does it work?

Last edited by holiman (2013-09-20 11:08:44)

Offline

#4 2013-09-20 12:24:58

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Scripting committed to trunk

It works.

Offline

#5 2013-09-20 12:29:05

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

Great man ! Waiting for an extende explanation on how to use scripts in order to add it (with your permission!) to the windows GUI.
Will you remove the "scripting" voice form the "branches" (now it is present together with "new hope" and "epa") ?

Last edited by asper (2013-09-20 12:40:12)

Offline

#6 2013-09-20 13:28:27

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

asper wrote:

Great man ! Waiting for an extende explanation on how to use scripts in order to add it (with your permission!) to the windows GUI.

Yes, I know, I am planning to write one. Actually, I am planning to update the wiki with a section about scripting. Things get lost in this forum... smile


asper wrote:

Will you remove the "scripting" voice form the "branches" (now it is present together with "new hope" and "epa") ?

*poff* - and just like that, it's gone! (r775)

Offline

#7 2013-09-20 17:21:23

urkis
Contributor
Registered: 2012-02-12
Posts: 30

Re: Scripting committed to trunk

If you develop new functions with this, I hope that the data attributes to send for any scripting file is accessible directly from the console commands like any previous functions so that you easy use it with any GUI, and not "hard coded" into the scripting file. smile

Offline

#8 2013-09-20 18:09:55

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

urkis wrote:

If you develop new functions with this, I hope that the data attributes to send for any scripting file is accessible directly from the console commands like any previous functions so that you easy use it with any GUI, and not "hard coded" into the scripting file. smile

Nice that you would mention that..

Right before I merged with trunk, I implemented so you can pass parameters to scripts. An example script which does this is in the source, https://code.google.com/p/proxmark3/source/browse/trunk/client/scripts/parameters.lua .

I am currently working on a script which sends raw 1444a-data, this functionality won't be accessible via the "old" commandline interface, but it will be invokable instead through the scripting-interface. This is how it will work:

Arguments:
	-o 				do not connect - use this only if you previously used -p to stay connected 
	-r 				do not read response
	-c 				calculate and append CRC
	-p 				stay connected - dont inactivate the field
	-x <payload> 	Data to send (NO SPACES!)

Examples : 
# 1. Connect and don't disconnect
script run writerraw -p 
# 2. Send mf auth, read response (nonce)
script run writeraw -o -x 6000F57b -p
# 3. disconnect
script run writeraw -o

# All three steps in one go:
script run writeraw -x 6000F57b

This is quite similar to the write 1444b-raw functionality that @jonor implemented:

-r    do not read response
-c    calculate and append CRC
-p    leave the field on after receive

So a script can be written to look a lot like an 'old style' command, yes. 

Sidenote: the scripts also have the capability to ask the user for input, *and* it is easy to modify a script (at least if the script is written in a way which clearly explains what to modify for a particular scenarion). When a script is modified, you don't even have to restart the pm3, it is effective instantaneously.

Offline

#9 2013-09-21 21:54:27

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

The writeraw for 14a has been committed! Asper, let me know if it work for you, or if there is anything else you need. The script itself is not very big, it uses partly a few libraries I have done previously for the mfkeys-script.

I also added some selftests, so it can be invoked with 'script run 14araw --test', to see that the usage examples work.

For my next script, it will either be a foray into LF tag identification, or a script to gain access to systems which uses a 'magic number' on some sector of a mifare card, and make that incrementing.
If anyone here wants to cooperate regarding LF-tags, send me an email. I need to figure out the best way to read out, identify and decode an unknown LF-card, preferably without any user input. It seems that involves a lot of steps; determining correct frequency 125 or 134, bitstream period, modulation type, denibbling and so on. Lots of quirks. I want to get rid of that.

I don't find the information available at https://code.google.com/p/proxmark3/wiki/TagOps#Reading_an_unknown_tag all that enlightening, so it'd be great to co-write a script with someone who knows this stuff better than me.

Offline

#10 2013-09-21 21:57:51

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

Script idea: a script which dumps a mifare card (or takes a previous dump), and creates a html/js-report visualizing the data on the card with colors and interactivity, kind of like ikarus does with mct. Should be pretty simple, I can help out if anyone wants to do this.

Offline

#11 2013-09-22 13:39:32

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

I am testing new 14a raw with direct commands thanks to a jonor patch; if it works probably it will be committed.

For now everything seems to works great, the only thing not working is sending commands to chinese changeable UID (the ones needing send of byte 40 and 43); if someone can explain me how/what exactly to send to those card I will really appreciate !

For now I added read/write support for ntag203 and my-d move ISO14443A tags; new GUI settings.xml will be released soon.
JW1A8Iw.png

EDIT: problem with chinese changeable UID solved: 40 must be sent 7bits while 43 8bits. Now 14443A raw seems to work fine !

Last edited by asper (2013-09-22 18:31:43)

Offline

#12 2013-09-22 18:54:32

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

Ok... the things you're implementing right now - does that only land in the windows-client or does it also come into the pm3 proper somehow?

Offline

#13 2013-09-22 19:23:51

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

It's a proxmark source code patch, I only re-adapted the GUI settings to add support for it.
The new command is my-long-awaited hf 14a raw.

Offline

#14 2013-09-22 19:28:19

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

I know, and all of a sudden you have two smile
But I was wondering about "ntag203 and my-d move" - is there a particular sequence of rawwrites you do in order to read them? In that case, it would be good to have it in the pm3. But maybe I am misreading you, having never used the gui tool..

Offline

#15 2013-09-22 20:17:51

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

They use common used iso14443A commands (30 to read and A2 to write) without authenticating. I added a brief explanation in settings.xml; someone should write a GUI for linux wink

If yoy want to directly implement them in a script it will be good mainly to have a full readable dump without sending multiple commands to tag.

Offline

#16 2013-10-03 21:15:50

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

Wrote a little about scripting and general pm3-development here : http://martin.swende.se/blog/Proxmark3.html

Offline

#17 2013-10-03 22:06:27

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

Great ! I will add the link in the script section of the next versione of GUI settings.xml !

Offline

#18 2013-10-07 14:16:41

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

Some more information: http://martin.swende.se/blog/Proxmark_Scripting_1.html

Offline

#19 2013-10-07 14:25:04

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

Added to settings.xml. It will be available in the next GUI release ! Thank you !

Offline

#20 2013-10-07 18:37:26

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

Problem:

proxmark3> script run dumptoemul.lua   
--- Executing: ./scripts/dumptoemul.lua, args''
./scripts/dumptoemul.lua:3: module 'getopt' not found:
    no field package.preload['getopt']
    no file 'C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\getopt.lua'
    no file 'C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\getopt\init.lua'
    no file 'C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\getopt.lua'
    no file 'C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\getopt\init.lua'
    no file '.\getopt.lua'
    no file 'C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\getopt.dll'
    no file 'C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\loadall.dll'
    no file '.\getopt.dll'

"getopt.lua" is searched in /getopt, /lua, and /.exe folder and not in /lualibs folder where other lua libs are.

Last edited by asper (2013-10-07 18:38:29)

Offline

#21 2013-10-07 18:42:21

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

That's strange - either all of them should fail like that or none of them. Could you try the thing you did earlier, with

print("package.path", package.path)

Edit : Also, can you confirm that it is only that one and not the others?

Last edited by holiman (2013-10-07 18:42:49)

Offline

#22 2013-10-07 19:06:08

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

You are right, the problem is also with the other scripts (like the other time) !

proxmark3> script run test2.lua
--- Executing: ./scripts/test2.lua, args''
package.path=    C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\?.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\?\init.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\?.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\?\init.lua;.\?.lua
-----Finished

The folder searched is /lua and not /lualibs.

Last edited by asper (2013-10-07 19:07:34)

Offline

#23 2013-10-07 19:48:35

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

Hm, strange, somehow the package.path is not getting set, obviously. Has this been a problem before, or has it not been tested before?
Could you try the following (as a script):

print(package.path)
package.path = package.path .. ";.\lualibs\?.lua"
print(package.path)
x = require('getopt')
print(x)

It's basically just what I am already doing from the C-side, but it appears that for some reason that fails..
If the above code does not work (gives exceptions), please try the one below. An answer on stack overflow indicates it may be that the path needs to end with the current directory, so the code below is a second shot. Please try both..

print(package.path)
package.path = package.path .. ";.\lualibs\?.lua;.\?.lua"
print(package.path)
x = require('getopt')
print(x)

Offline

#24 2013-10-07 20:24:53

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

For both commands I receive the following error:

proxmark3> script run test3.lua
--- Executing: ./scripts/test3.lua, args''
./scripts/test3.lua:2: invalid escape sequence near '\l'
-----Finished
proxmark3>

Offline

#25 2013-10-07 20:30:20

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

Ok maybe I found the problem: "slash" in script MUST be "/" and not "\";

Answer to 1st script:

proxmark3> script run test3.lua
--- Executing: ./scripts/test3.lua, args''
C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\?.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\?\init.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\?.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\?\init.lua;.\?.lua
C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\?.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\?\init.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\?.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\?\init.lua;.\?.lua;./lualibs/?.lua
table: 03084230
-----Finished
proxmark3>

Answer to second script:

proxmark3> script run test3.lua
--- Executing: ./scripts/test3.lua, args''
C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\?.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\?\init.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\?.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\?\init.lua;.\?.lua
C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\?.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\lua\?\init.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\?.lua;C:\Users\Administrator\Downloads\Proxmark_Tool\Proxmark Tool\Proxmark Tool\bin\Debug\?\init.lua;.\?.lua;./lualibs/?.lua;./?.lua
table: 03084230
-----Finished
proxmark3>

Folder "\Debug\lua\" is incorrect, must be "\Debug\lualibs" (ignore "Debug", I pasted it only to show it is not in root).

Renaming my "\Debug\lualibs" to "Debug\lua" makes it to work.

Last edited by asper (2013-10-07 20:33:59)

Offline

#26 2013-10-07 20:50:36

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

Ok maybe I found the problem: "slash" in script MUST be "/" and not "\";

Yeah, either that or escape the \, I forgot that - the \ is an escape char, so \\ would have worked.

Renaming my "\Debug\lualibs" to "Debug\lua" makes it to work.

Yes, it would - it's in your package.path. But I want to understand why setting it from C does not work....
After I had made /lualibs/ and it worked on Android - did it work on windows then ? I'm trying to figure out if I've done something that could cause this recently, but I don't know what that could be. Maybe I'll have to try it on a windows-machine one of these days...

Offline

#27 2013-10-07 20:53:35

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

Alternatively we should switch to "\lua" folder... waiting for your updates.

Offline

#28 2013-10-08 08:25:37

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

I fetched the latest windows-binary from sendspace, (pm3-bin-807 : http://www.sendspace.com/file/y6dk7s) into a virtual machine windows 7. I didn't bother to connect the device or anything, just ran the "proxmark3.exe xx".
Then I put a script printing package.path as test.lua:

proxmark3> script run test
--- Executing: ./scripts/test.lua, args''
package.path    C:\Users\Martin\Desktop\pm3-bin-807\win32 (client+GUI)\lua\?.lua
;C:\Users\Martin\Desktop\pm3-bin-807\win32 (client+GUI)\lua\?\init.lua;C:\Users\
Martin\Desktop\pm3-bin-807\win32 (client+GUI)\?.lua;C:\Users\Martin\Desktop\pm3-
bin-807\win32 (client+GUI)\?\init.lua;.\?.lua;./lualibs/?.lua

It seems to work fine for me. Are you using that exact binary?

Edit:
And this is when using the GUI-client, also no problems:

ERROR: invalid serial port
proxmark3> script run test
--- Executing: ./scripts/test.lua, args''
package.path	C:\Users\Martin\Desktop\pm3-bin-807\win32 (client+GUI)\lua\?.lua;C:\Users\Martin\Desktop\pm3-bin-807\win32 (client+GUI)\lua\?\init.lua;C:\Users\Martin\Desktop\pm3-bin-807\win32 (client+GUI)\?.lua;C:\Users\Martin\Desktop\pm3-bin-807\win32 (client+GUI)\?\init.lua;.\?.lua;./lualibs/?.lua
-----Finished
proxmark3> 

Edit #2 : Are you sure you're using a different binary, perhaps a version before r785? What does hw ver say?

Last edited by holiman (2013-10-08 08:35:09)

Offline

#29 2013-10-08 08:28:06

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

Alternatively we should switch to "\lua" folder... waiting for your updates.

That may be a solution, but I don't want to just do something because it magically somehow seems to work, I want to figure out what the problem is with the current solution; the current way to do it should be platform-insensitive, since we explicitly set the lua path. I'd rather not rely on how lua by default sets the package-path on various platforms.

Offline

#30 2013-10-08 08:40:08

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

Looking at your script-executing results it seems you also have /lua and not /lualib folder set as path.

Your scripts are working for me (r807) only the lua-libs files are not found/searched in /lualib but in /lua folder.

Offline

#31 2013-10-08 09:10:51

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

No...???
The last entry is ./lualibs/?.lua , that is the entry that I added in r785 (also, that's why that one uses forward slash, the other uses backslash)

Offline

#32 2013-10-08 09:14:44

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

The package path can be set either dynamically during the runtime, that's what we do, and it can also be set at compile time, by modifying LUA_PATH.

When I say worked, I also tested with 'script run parameters' which loads the getopt module, just to see that I didn't get any stacktrace. Are you using the *exact* same binary when testing?

Edit : Some info about how require and package.path works: http://www.lua.org/pil/8.1.html

Last edited by holiman (2013-10-08 09:46:03)

Offline

#33 2013-10-08 20:01:36

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

New blog post about pm3 scripting - part 2 . Also, there's a new script which is the result of these blog-posts, and quite a few people who are new to the pm3 may appreciate (mifare_autopwn).

Offline

#34 2013-10-08 23:14:53

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

My BIG fault ! I was running the client from an old folder so the .exe was not updated ! All is working fine, sorry man sad

Anyway your script seems to work !

proxmark3> script run mifare_autopwn
--- Executing: ./scripts/mifare_autopwn.lua, args''
Card found, commencing crack	6E442129
uid(6e442129) nt(8f699195) par(0000000000000000) ks(040009030d0c0903) nr(30e3ec000000000)
|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 4 |  1  |0,0,0,0,0,0,0,0|
| 20 |00000020| 0 |  5  |0,0,0,0,0,0,0,0|
| 40 |00000040| 9 |  c  |0,0,0,0,0,0,0,0|
| 60 |00000060| 3 |  6  |0,0,0,0,0,0,0,0|
| 80 |00000080| d |  8  |0,0,0,0,0,0,0,0|
| a0 |000000a0| c |  9  |0,0,0,0,0,0,0,0|
| c0 |000000c0| 9 |  c  |0,0,0,0,0,0,0,0|
| e0 |000000e0| 3 |  6  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...          
key_count:0
Key not found (lfsr_common_prefix problem)
uid(6e442129) nt(8f699195) par(0000000000000000) ks(090d0b0305020f02) nr(30e3ec000000001)
|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000001| 9 |  c  |0,0,0,0,0,0,0,0|
| 20 |00000021| d |  8  |0,0,0,0,0,0,0,0|
| 40 |00000041| b |  e  |0,0,0,0,0,0,0,0|
| 60 |00000061| 3 |  6  |0,0,0,0,0,0,0,0|
| 80 |00000081| 5 |  0  |0,0,0,0,0,0,0,0|
| a0 |000000a1| 2 |  7  |0,0,0,0,0,0,0,0|
| c0 |000000c1| f |  a  |0,0,0,0,0,0,0,0|
| e0 |000000e1| 2 |  7  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...          
key_count:0
Key not found (lfsr_common_prefix problem)
uid(6e442129) nt(8f699195) par(0000000000000000) ks(03030508030b0c0e) nr(30e3ec000000002)
|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000002| 3 |  6  |0,0,0,0,0,0,0,0|
| 20 |00000022| 3 |  6  |0,0,0,0,0,0,0,0|
| 40 |00000042| 5 |  0  |0,0,0,0,0,0,0,0|
| 60 |00000062| 8 |  d  |0,0,0,0,0,0,0,0|
| 80 |00000082| 3 |  6  |0,0,0,0,0,0,0,0|
| a0 |000000a2| b |  e  |0,0,0,0,0,0,0,0|
| c0 |000000c2| c |  9  |0,0,0,0,0,0,0,0|
| e0 |000000e2| e |  b  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...          
key_count:0
Key not found (lfsr_common_prefix problem)
uid(6e442129) nt(8f699195) par(0000000000000000) ks(02010f030c0d050d) nr(30e3ec000000003)
|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000003| 2 |  7  |0,0,0,0,0,0,0,0|
| 20 |00000023| 1 |  4  |0,0,0,0,0,0,0,0|
| 40 |00000043| f |  a  |0,0,0,0,0,0,0,0|
| 60 |00000063| 3 |  6  |0,0,0,0,0,0,0,0|
| 80 |00000083| c |  9  |0,0,0,0,0,0,0,0|
| a0 |000000a3| d |  8  |0,0,0,0,0,0,0,0|
| c0 |000000c3| 5 |  0  |0,0,0,0,0,0,0,0|
| e0 |000000e3| d |  8  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...          
key_count:0
Key not found (lfsr_common_prefix problem)
uid(6e442129) nt(8f699195) par(0000000000000000) ks(00040f0f0305030e) nr(30e3ec000000004)
|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000004| 0 |  5  |0,0,0,0,0,0,0,0|
| 20 |00000024| 4 |  1  |0,0,0,0,0,0,0,0|
| 40 |00000044| f |  a  |0,0,0,0,0,0,0,0|
| 60 |00000064| f |  a  |0,0,0,0,0,0,0,0|
| 80 |00000084| 3 |  6  |0,0,0,0,0,0,0,0|
| a0 |000000a4| 5 |  0  |0,0,0,0,0,0,0,0|
| c0 |000000c4| 3 |  6  |0,0,0,0,0,0,0,0|
| e0 |000000e4| e |  b  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...          
p1:0 p2:0 p3:0 key:ffffffffffff
p1:1b39 p2:b97c p3:1 key:a25e4ee6ba4d
p1:1ca8 p2:c37a p3:2 key:9d4a97efd5b0
p1:2308 p2:ee3e p3:3 key:8794ad98e0ca
p1:27af p2:10da2 p3:4 key:77aebc3dfe57
p1:27e2 p2:10f1a p3:5 key:76ecf2a7c780
p1:2ed0 p2:1408c p3:6 key:5e2422973f9e
p1:37de p2:17f6a p3:7 key:3e28efbcb324
p1:4664 p2:1e1d7 p3:8 key:0cc09bd6a404
key_count:9
Key 	FFFFFFFFFFFF
--block no:00 key type:00 key:ff ff ff ff ff ff  etrans:0          
Block shift=0          
Testing known keys. Sector count=16          
nested...          
Time in nested: 2.330 (inf sec per key)
-----------------------------------------------
Iterations count: 0
|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|---|----------------|---|----------------|---|          
Printing keys to bynary file dumpkeys.bin...          
|-----------------------------------------|          
|------ Reading sector access bits...-----|          
|-----------------------------------------|          
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
|-----------------------------------------|          
|----- Dumping all blocks to file... -----|          
|-----------------------------------------|          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
Wrote a HTML dump to the file 6E442129.html
Wrote an emulator-dump to the file 6E442129.eml

But I have a problem: when command execution is at the end I pres the pm3 button and the red light turns off but when I release the button it turns on and seems to flash very rapidly... it does the same thing also if the script is still executing... so I cannot receive the "aborted by user" message... is this normal ?


Also if I HOLD the PM3 button I receive this:

#db# Stand-alone mode! No PC necessary.       

If I re-hold it:

#db# Starting recording    

And if I re-HOLD it:   

#db# Stopped       
#db# Recorded 0 100 20080000       

but this should be a normal pm3 function... can it be stopped while script is executing ?

Anyway I added it to the GUI under mifare hacks !

EDIT
The improvement you propose:

we could begin by checking default keys. And perhaps also modifying that functionality to stop after one successfull key/sector,

are very interesting to speed up the automated process !

Last edited by asper (2013-10-09 07:36:21)

Offline

#35 2013-10-09 07:53:58

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

My BIG fault ! I was running the client from an old folder so the .exe was not updated !

Heh, I kind of figured something like that had happened smile

But I have a problem: when command execution is at the end I pres the pm3 button and the red light turns off but when I release the button it turns on and seems to flash very rapidly... it does the same thing also if the script is still executing... so I cannot receive the "aborted by user" message... is this normal ?

You should press *a button*, not *the button* - use the keyboard.. When the script is waiting for a new card, the device is just idle. So when you start pressing "teh key", things happen which I don't control smile

Offline

#36 2013-10-09 08:02:06

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

Hmmm... looking at the script output, it looks a bit bit strange that you get all-zero parity every time.
1. Does the same thing happen when doing 'hf mf mifare' ?
2. Does the same thing happen if you run the script again?
3. Does it crack a key with non-default keys (if you have one laying around, pls check, otherwise ignore)?

I'm asking because I want to be sure that there's no flaw in parameter-passing from lua<->c on windows.

Offline

#37 2013-10-09 08:57:00

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

holiman wrote:

Hmmm... looking at the script output, it looks a bit bit strange that you get all-zero parity every time.
1. Does the same thing happen when doing 'hf mf mifare' ?
2. Does the same thing happen if you run the script again?
3. Does it crack a key with non-default keys (if you have one laying around, pls check, otherwise ignore)?

I'm asking because I want to be sure that there's no flaw in parameter-passing from lua<->c on windows.

1 - Yes
2 - Yes
3 - can't test, sorry

Oh, ok, i must press "a keyboard button" to abort... obviously it works... sorry tongue

Last edited by asper (2013-10-09 08:57:11)

Offline

#38 2013-10-09 09:09:01

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

asper wrote:

1 - Yes
2 - Yes
3 - can't test, sorry

Good, that means that my script behaves the same way as the standard 'hf mf mifare', which implies that there's no problem with my parameter-passing. Thanks for testing.

Offline

#39 2013-10-09 09:12:33

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

Tested another card but I have a problem:

uid(3e172b29) nt(039b7bd2) par(0000000000000000) ks(060a0208030b030c) nr(321427000000000)


parity is all zero,try special attack!just wait for few more seconds...

uid(3e172b29) nt(039b7bd2) par(0000000000000000) ks(0c0e0f0505080800) nr(321427000000001)


parity is all zero,try special attack!just wait for few more seconds...

uid(3e172b29) nt(039b7bd2) par(0000000000000000) ks(0e06090d03000b0f) nr(321427000000002)


parity is all zero,try special attack!just wait for few more seconds...
--block no:00 key type:00 key:a5 a4 a3 a2 a1 a0  etrans:0
Block shift=0
Testing known keys. Sector count=16
nested...
-----------------------------------------------
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
-----------------------------------------------
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
-----------------------------------------------
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
-----------------------------------------------
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
-----------------------------------------------
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
-----------------------------------------------
Sending bytes to proxmark failed
-----------------------------------------------
Sending bytes to proxmark failed
-----------------------------------------------
Sending bytes to proxmark failed
-----------------------------------------------
Sending bytes to proxmark failed

Offline

#40 2013-10-09 09:14:32

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

This is the same card with mf mifare command:

proxmark3> hf mf mifare 
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..
uid(3e172b29) nt(19d8dc93) par(0000000000000000) ks(060102060c000409) nr(2400000000)
|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 6 |  3  |0,0,0,0,0,0,0,0|
| 20 |00000020| 1 |  4  |0,0,0,0,0,0,0,0|
| 40 |00000040| 2 |  7  |0,0,0,0,0,0,0,0|
| 60 |00000060| 6 |  3  |0,0,0,0,0,0,0,0|
| 80 |00000080| c |  9  |0,0,0,0,0,0,0,0|
| a0 |000000a0| 0 |  5  |0,0,0,0,0,0,0,0|
| c0 |000000c0| 4 |  1  |0,0,0,0,0,0,0,0|
| e0 |000000e0| 9 |  c  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...          
key_count:0
Key not found (lfsr_common_prefix list is null). Nt=19d8dc93          
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...          
..
uid(3e172b29) nt(19d8dc93) par(0000000000000000) ks(020f0205030a0103) nr(2400000001)
|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000001| 2 |  7  |0,0,0,0,0,0,0,0|
| 20 |00000021| f |  a  |0,0,0,0,0,0,0,0|
| 40 |00000041| 2 |  7  |0,0,0,0,0,0,0,0|
| 60 |00000061| 5 |  0  |0,0,0,0,0,0,0,0|
| 80 |00000081| 3 |  6  |0,0,0,0,0,0,0,0|
| a0 |000000a1| a |  f  |0,0,0,0,0,0,0,0|
| c0 |000000c1| 1 |  4  |0,0,0,0,0,0,0,0|
| e0 |000000e1| 3 |  6  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...          
key_count:0
Key not found (lfsr_common_prefix list is null). Nt=19d8dc93          
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...          
..
uid(3e172b29) nt(19d8dc93) par(0000000000000000) ks(060002020901030d) nr(2400000002)
|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000002| 6 |  3  |0,0,0,0,0,0,0,0|
| 20 |00000022| 0 |  5  |0,0,0,0,0,0,0,0|
| 40 |00000042| 2 |  7  |0,0,0,0,0,0,0,0|
| 60 |00000062| 2 |  7  |0,0,0,0,0,0,0,0|
| 80 |00000082| 9 |  c  |0,0,0,0,0,0,0,0|
| a0 |000000a2| 1 |  4  |0,0,0,0,0,0,0,0|
| c0 |000000c2| 3 |  6  |0,0,0,0,0,0,0,0|
| e0 |000000e2| d |  8  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...          
p1:9cc p2:56c p3:0 key:fc7024b7329e
p1:13c5 p2:ad5 p3:1 key:f8de671c7959
p1:26bd p2:153e p3:2 key:f2162b9a65eb
p1:3ad8 p2:202b p3:3 key:eaddeed50157
p1:3aef p2:2037 p3:4 key:ead59b004069
p1:3b92 p2:208a p3:5 key:ea996fe76091
p1:5d0e p2:32ee p3:6 key:de7c5cbba1f4
p1:9fd8 p2:56d0 p3:7 key:c68c89600d48
p1:ae5d p2:5eed p3:8 key:c137693b4db9
p1:f6cc p2:8686 p3:9 key:a74f6b5d3cff
p1:1029c p2:8c46 p3:a key:a33d42738e95
p1:109a5 p2:8ff5 p3:b key:a0a1a2a3a4a5
p1:11f9a p2:9c1c p3:c key:98bac4abcfa4
p1:141ee p2:aef1 p3:d key:8c5c98de8e61
p1:15080 p2:b6e0 p3:e key:873458801707
p1:177a3 p2:cc2a p3:f key:7960a057da60
p1:19082 p2:d9e9 p3:10 key:705ebff9e93d
p1:19134 p2:da3d p3:11 key:7021e74271b0
p1:1c4b9 p2:f637 p3:12 key:5dc00a149176
p1:1d007 p2:fc6a p3:13 key:59bccd4a7499
p1:1d45d p2:fece p3:14 key:582e8b34f027
p1:1e1c1 p2:10611 p3:15 key:535474dc6bbf
p1:1e472 p2:10779 p3:16 key:526322a01a7a
p1:1e6a1 p2:108c2 p3:17 key:51954b0ac345
p1:20285 p2:117d9 p3:18 key:47941c625a34
p1:2087b p2:11b15 p3:19 key:456cd679d1ee
p1:2121a p2:1204e p3:1a key:41fd1e2125eb
p1:21630 p2:12257 p3:1b key:408c14822c1e
p1:245d3 p2:13c48 p3:1c key:2fa4f264388a
p1:2681c p2:14f40 p3:1d key:23615e26b08d
p1:26cd9 p2:151e9 p3:1e key:2196d839a413
p1:293be p2:166db p3:1f key:13b3da632528
p1:29eee p2:16d49 p3:20 key:0f9259ed0b27
p1:2a571 p2:170d6 p3:21 key:0d3a1d66f7c6
p1:2a5f3 p2:17126 p3:22 key:0d0b80ac6c94
p1:2c06d p2:17fb2 p3:23 key:03bd8e4713bc
key_count:36
------------------------------------------------------------------
Key found:a0a1a2a3a4a5 
Found valid key:a0a1a2a3a4a5          
proxmark3> 

In particular using your script:

--block no:00 key type:00 key:a5 a4 a3 a2 a1 a0  etrans:0

is it possible that key value is passed "inverted" to the next command (it can explain why it works with FFFFFFFFFFFF keys) ?

Last edited by asper (2013-10-09 09:19:07)

Offline

#41 2013-10-09 09:18:50

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

Ah, nice! It seems I interpret the key ass-backwards. Didn't notice that with FFFFFFFFFFFF-keys. I'll fix that this evening

Offline

#42 2013-10-09 09:19:58

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

Good !

Offline

#43 2013-10-09 20:08:48

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

holiman wrote:

It seems I interpret the key ass-backwards.

Fixed as of r811

Offline

#44 2013-10-18 12:15:30

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

New script committed in r821, ndef_dump. It is written together with Asper, who did all testing and told me how it should work - he's the protocol wizard.

Offline

#45 2013-10-18 12:18:23

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Scripting committed to trunk

Too polite Holiman wink

Here is an example of the script running:

proxmark3> script run ndef_dump
--- Executing: ./scripts/ndef_dump.lua, args''
Number of blocks:	38
Dumping data...please wait
Tag manufacturer: Infineon Technologies AG [Germany]
Tag UID: 053400049CAD7F
Tag NDEF version: 0x10
Block 00: 05 34 00 b9
Block 01: 04 9c ad 7f
Block 02: 4a 00 00 00
Block 03: e1 10 10 00
Block 04: 03 03 d0 00
Block 05: 00 fe 00 00
Block 06: 6e 35 35 35
Block 07: 35 35 35 35
Block 08: 00 00 00 00
Block 09: 0a fe 00 00
Block 0a: 00 00 00 00
Block 0b: 00 00 00 00
Block 0c: 00 00 00 00
Block 0d: 00 00 00 00
Block 0e: 00 00 00 00
Block 0f: 55 55 55 55
Block 10: 55 55 55 55
Block 11: 00 00 00 00
Block 12: 00 00 00 00
Block 13: 00 00 00 00
Block 14: 00 00 00 00
Block 15: 00 00 00 00
Block 16: 00 00 00 00
Block 17: 00 00 00 00
Block 18: 00 00 00 00
Block 19: 00 00 00 00
Block 1a: 00 00 00 00
Block 1b: 00 00 00 00
Block 1c: 00 00 00 00
Block 1d: 00 00 00 00
Block 1e: 00 00 00 00
Block 1f: 77 77 77 77
Block 20: 99 99 99 99
Block 21: 00 00 00 00
Block 22: 00 00 00 00
Block 23: 00 00 00 00
Block 24: 00 00 00 00
Block 25: 32 c0 c6 c1
-----Finished
proxmark3> 

Offline

#46 2014-01-12 19:41:04

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Scripting committed to trunk

Sent you a mail..

Offline

Board footer

Powered by FluxBB