Fudan FM11R08* full-card recovery script; with Bambu tag support #2613
Conversation
|
You are welcome to add an entry to the CHANGELOG.md as well |
|
Nice one, |
|
I totally failed to spot the GPL3 licence - clearly monoscopically focused
on getting the script working - <facepalm>
If I change my script to be dual licence (GPL/MIT), will that satisfy your
requirements? ...Or is it a case of "GPL3 or nothing"?
…On Mon, Nov 4, 2024 at 12:20 PM Iceman ***@***.***> wrote:
Nice one,
We prefer to use GPL3.0 or later as a license in this project, so if you
wouldn't mind?
—
Reply to this email directly, view it on GitHub
<#2613 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAUUAGPXGOXQT42BSEXHSEDZ65RBHAVCNFSM6AAAAABRDKUT5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJUGU3TGMRSHE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
it will make our lives much easier if its a "GPL3 or later" license. If you wanna make a "free license" its also ok, but when we start mixing its just harder. When we use third party libs, we try finding GPL3 versions, MIT or free. but of code that is all in here its GPL3 or later. Your script can have your copyright with the license GPL3 or later. If you post your script somewhere else, it can be any license you like. However in here its locked down to GPL3. If this all made sense, please have understanding that trying to uphold open source licenses is a nightmare if mixed. |
client/pyscripts/fm11rf08_full.py
Outdated
| else: | ||
| lprint("") | ||
|
|
||
| # We need to flush all the output we just collected <shrug> |
There was a problem hiding this comment.
use p.console(...., capture=False) and you don't have to flush grabbed_output
client/pyscripts/fm11rf08_full.py
Outdated
| We decided the flag would be: The MD5 of the card data, | ||
| but this had to include all 8 documented Dark blocks AND all 32+2=34 Keys. | ||
| Not rocket surgery if you know what you're doing, but non-trivial for someone | ||
| who is still struggling to spell `autoporn` <-- yes, this happened! |
There was a problem hiding this comment.
funny but keep your comments formal and short. thanks
| @@ -0,0 +1,942 @@ | |||
| #!/usr/bin/env python3 | |||
There was a problem hiding this comment.
I find the script name confusing.
fm11rf08s_recovery provides also a full dump and a key dump, like autopwn
so call this one "demo" or "verbose" but not "full"
There was a problem hiding this comment.
if you dump the card using recovery and then dump the card using full and then do an ls you will see that the (so called) "full" file is 128 bytes longer because (as discussed in the verbose intro) it includes "all 8 documented Dark blocks"
proxmark@linux:~$ ls hf-mf-5CB49CA6-dump*.bin -l
-rw-r--r-- 1 prox prox 1152 Nov 4 00:26 hf-mf-5CB49CA6-dump18.bin
-rw-r--r-- 1 prox prox 1024 Oct 30 18:59 hf-mf-5CB49CA6-dump.bin
As for the name ...It was called bc.py until the last minute, and I just thought "the full 18 blocks" is what I was going after, and grabbed the word "full" ...If you think that name is misleading, then yes, let's pick something better.
There was a problem hiding this comment.
Ha! Initially I didn't make the link when you say "dark".
You use the term "dark" both for the backdoor key (see getDarkKey) and for the advanced verification method blocks.
In MFC, dark refers to darkside (and now the variant darknested which replaces darkside+nested)
and personally I would avoid reusing the same term in other contexts.
- dark key => backdoor key
- dark blocks => advanced verification method blocks (or some shorter avblocks for example)
If the extra blocks are useful to get, better to change the existing commands than adding an entire new script.
Right now I refrained to do so because the existing commands cannot handle dumps of unexpected sizes, so your dump cannot be used by e.g. hf mf restore. We already have the problem with the keys file at the moment.
This is planned to handle properly these oversized dumps and keyfiles, but it takes time.
So we can merge your code but don't be surprised if tomorrow it becomes redundant.
There was a problem hiding this comment.
As I say, the script as it stands solved a very specific problem. And, as with the "library functions" comments, if this script become a part of the (metaphoric) Borg Collective, that's no bad thing.
Re. the word "dark": We needed a word so we could discuss it. Your paper used the phrase "dark keys" and extended nested to "dark nested" ...So we took inspiration, and called the additional blocks (which we discovered from the same paper) "dark blocks" ...Again, if it's confusing - this is exactly the right moment to change it :)
| checkVer() | ||
| parseCli() | ||
|
|
||
| print(f"{prompt} Fudan FM11RF08[S] full card recovery") |
There was a problem hiding this comment.
same remark as for the script name
There was a problem hiding this comment.
Again I just wanted a way to highlight that this script retrieves the 8 Dark blocks, I am happy to accept a better/clearer message that conveys that.
| # >> "uid" | ||
| # >> "uids" | ||
| #============================================================================== | ||
| def decodeBlock0(): |
There was a problem hiding this comment.
it would be interesting to isolate this function in a separate file to be imported, so other ppl can use it in their scripts s well, or call the script with a provided block0
There was a problem hiding this comment.
If/when this script gets pulled, I would be flattered if functions were yanked to a library. If/when that happens it would probably be wise to pick a more "API" style name for the function. I dunno, maybe hf_mf_block0_decode(binaryData[16]) ...but I'm sure you guys probably have a naming convention - so "whatever fits" is good by me
Same goes for the following 4 similar comments :)
| [=] 0 | 5C B4 9C A6 D2 08 04 00 04 59 92 25 BF 5F 70 90 | \........Y.%._p. | ||
| ''' | ||
| #============================================================================== | ||
| def readBlocks(): |
There was a problem hiding this comment.
redundant with the dump file already provided by recovery()
or call it verifyDump as you have the verifyKeys...
There was a problem hiding this comment.
Considerations:
~ This function reads the 8 Dark blocks in addition to the 64 "normal" blocks (which were read by recovery())
~ verifyKeys takes the known keys and verifies that they are still valid. ...because we would like to avoid waiting "<30mins" if possible
~ readBlocks deliberately re-reads the card each time it is run, so as to detect edits to the card ...it only takes a few seconds ...I have to read it all to verify nothing has changed, at which point, well, I've just read it all ...There may well be credit to writing a verifyBlocks() function to detect changes - but that would need to call readblock() and loadOldFile()
~ The feature bloat had already crept in when I started detecting and decoding various tags - I just had to draw the line somewhere (for now)
There was a problem hiding this comment.
if you need to read the card, using "hf mf ecfill -c 4 -k ..." is wayyy faster.
Then, yes, for now, you've to dump manually the 8 avblocks because as said above, it is not yet supported in ecfill or any other mfc emulation command. (I think even letting a "hf mf ecfill --4k -c 4 -k..." dumping and failing over unexisting sectors is still faster)
| 3 | 00 00 00 00 00 00 87 87 87 69 00 00 00 00 00 00 | .........i...... | ||
| ''' | ||
| #============================================================================== | ||
| def patchKeys(keyok): |
There was a problem hiding this comment.
note that dump from recovery is already patched
There was a problem hiding this comment.
For reasons discussed above, I do not load the existing dump.bin so this action is 'required'
| #+============================================================================= | ||
| # Let's try to detect a Bambu card by the date strings... | ||
| #============================================================================== | ||
| def detectBambu(): |
There was a problem hiding this comment.
it would be interesting to isolate this function in a separate file to be imported, so other ppl can use it in their scripts s well, or call the script with a provided block0
There was a problem hiding this comment.
qv. #2613 (comment)
this needs data other than block 0
| 3 | 00 00 00 00 00 00 87 87 87 69 00 00 00 00 00 00 | .........i...... | ||
| ''' | ||
| #+============================================================================= | ||
| def dumpBambu(): |
There was a problem hiding this comment.
it would be interesting to isolate this function in a separate file to be imported, so other ppl can use it in their scripts s well, or call the script with a provided block0
There was a problem hiding this comment.
qv. #2613 (comment)
This needs data other than block0
| IF YOU PLAN TO CHANGE ACCESS BITS, RTFM, THERE IS MUCH TO CONSIDER ! | ||
| ''' | ||
| #============================================================================== | ||
| def dumpAcl(): |
There was a problem hiding this comment.
it would be interesting to isolate this function in a separate file to be imported, so other ppl can use it in their scripts s well, or call the script with a provided block0.
Note that we already have hf mf acl
There was a problem hiding this comment.
qv. #2613 (comment)
this function requires data other than block 0
I was originally going to call hf mf acl (as I say, this script is initially to support a defcon workshop) and parse the output (if I had to), but in the end I found the output difficult to decipher, and tricky to parse - ultimately, some bit twiddling just seemed easier.
Thank you for taking time to explain your position. I really hadn't considered the potential nightmare of maintaining multiple licences in one repository. I totally understand. In case you're wondering: I have both personal and professional reasons to dislike what GPL3 has done to hinder development of/with cross-platform support, and the damage it has done to the security landscape; and I just want to make sure anything I personally release can be used by anybody for any reason and in any way they so desire ...yourself (and this fantastic project) included :) How about this?: |
Just to say, I second Iceman comment on the license with this example: I discussed many parts of this script as better being moved into some common MFC helper functions Python module. Now if each helper function had to retain its original license, it becomes a nightmare to constitute such module mixing licenses.
Fair enough. On our side, we tend to dislike the several manufacturers who stole the proxmark3 code to make their closed-source variants...
IMHO the first sentence is useless. "Original version" is important because once merged, over time, this code will evolve in the repo. |
|
Here is what I suggest you put on top of your script file. and since we use git, we don't need a "internal" change log. When @doegox is happy, we merge |
|
We can merge, then I'll make the discussed changes (module etc) |
|
but yeah change the licensing terms before merge, else it looks like maintainers are rewriting your terms... |
it is done |
|
Excellent! |
Beyond the original recovery script (used by this script) this script performs a number of tasks to aid us teaching NFC at our local defcon meet.
qv. https://eprint.iacr.org/2024/1275.pdf [Philippe Teuwen]